Overview

overview

10

Static

static

SWIFT REF.exe

windows7-x64

10

SWIFT REF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT REF.exe

  • Size

    1.1MB

  • MD5

    cb9bc8e2f918725b9d28925aa42cba1e

  • SHA1

    fedbd5f39e13a4dffe8b4d1e36d3c50bdf9f433b

  • SHA256

    f3a184f74b8326b79d5f99aa2a412b18fa50f89b55017f852b4e74713342eae2

  • SHA512

    8dea90cc898a04cb50b0760281e160838e35fc9ca22734ea66f0b2308bdecea6891eb278b47c6bbf3a35f0896ae86dfcb6467a3247f48afe3d9fb828275479bd

  • SSDEEP

    24576:REAojIr4A11gcBQqcsrF6NCg0fJACQU4I6bB589j:KAoMr4A115S5u6NT0fJAC14I6bQ

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SWIFT REF.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT REF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\urrHTfW.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\urrHTfW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4476
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:3844
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • Modifies system executable filetype association
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          PID:4504

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Change Default File Association

    1
    T1042

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp
      Filesize

      1KB

      MD5

      8503c2a700ed9c0ec17ea36cfbbc783f

      SHA1

      e9da4a55e5c723f7c6551efed2fb9d43e7113886

      SHA256

      1c227cfb909819d3486d50fcdd560083a7261efd0aad54a19ce5cc24e7b5b047

      SHA512

      1b60883c8729b147ef5d436bf61f2560d1936ae5266a663696a81265532664f046a66f57739f468a8f7ad3eb06c90fd0c8ac1884ebd69326a16d2a9b846b7e11

      Download Submit
    • C:\Users\Admin\AppData\Roaming\urrHTfW.exe
      Filesize

      1.1MB

      MD5

      cb9bc8e2f918725b9d28925aa42cba1e

      SHA1

      fedbd5f39e13a4dffe8b4d1e36d3c50bdf9f433b

      SHA256

      f3a184f74b8326b79d5f99aa2a412b18fa50f89b55017f852b4e74713342eae2

      SHA512

      8dea90cc898a04cb50b0760281e160838e35fc9ca22734ea66f0b2308bdecea6891eb278b47c6bbf3a35f0896ae86dfcb6467a3247f48afe3d9fb828275479bd

      Download Submit
    • memory/1016-148-0x0000000006710000-0x000000000672E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1016-143-0x00000000058A0000-0x0000000005EC8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1016-158-0x0000000007D30000-0x0000000007D38000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1016-150-0x0000000070AC0000-0x0000000070B0C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1016-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1016-157-0x0000000007D50000-0x0000000007D6A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1016-140-0x0000000002E00000-0x0000000002E36000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1016-151-0x0000000006C90000-0x0000000006CAE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1016-156-0x0000000007C40000-0x0000000007C4E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1016-147-0x0000000006120000-0x0000000006186000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1016-155-0x0000000007C90000-0x0000000007D26000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1016-145-0x0000000005730000-0x0000000005752000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1016-146-0x0000000006040000-0x00000000060A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1016-152-0x0000000008060000-0x00000000086DA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1016-154-0x0000000007A80000-0x0000000007A8A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1016-149-0x0000000006CF0000-0x0000000006D22000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1016-153-0x0000000007A10000-0x0000000007A2A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1972-134-0x00000000051C0000-0x0000000005252000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1972-136-0x0000000005280000-0x000000000528A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1972-137-0x0000000007FD0000-0x000000000806C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1972-132-0x0000000000710000-0x0000000000822000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1972-135-0x0000000005570000-0x0000000005716000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1972-133-0x0000000005880000-0x0000000005E24000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3844-159-0x0000000000000000-mapping.dmp
      Download
    • memory/4176-144-0x0000000000400000-0x00000000004C4000-memory.dmp
      Filesize

      784KB

      Download
    • memory/4176-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4476-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4504-160-0x0000000000000000-mapping.dmp
      Download
    • memory/4504-161-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/4504-162-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/4504-163-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/4504-164-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/4504-166-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download