1a41a5bf751fd2deb7cf46b231e45843adc5f036149979de847c053177be2eb8

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-01-2023 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

swiftcopy.exe
Size

226KB
MD5

403a0ec6b998f324dda677547ac8ec79
SHA1

2e9fcc41db347d053ec58de6881527a9f529edef
SHA256

7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f
SHA512

0608941d064e2e3121ee4a02dba4f486ba7c997b14405b2e6d63102566bb65fbc242bb25ef424b5f1ddf07e7bc7e8226b916a00e85fc6d8d2408e966cbeb891b
SSDEEP

3072:qyiLF8DnmJpNG/f90oL1yq8ogAQLxLmqjPXrxgUuUj14xy9WmfvuuWlAqXJeDg+P:qGV/l0oL1TToMqTVgfUs8efDJe81aL9f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rcviyqs.exe

pid process

1284 rcviyqs.exe
Loads dropped DLL 2 IoCs

Processes:

swiftcopy.exercviyqs.exe

pid process

1784 swiftcopy.exe
1284 rcviyqs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1284	rcviyqs.exe

pid	process
1784	swiftcopy.exe
1284	rcviyqs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

swiftcopy.exercviyqs.exe

description	pid	process	target process
PID 1784 wrote to memory of 1284	1784	swiftcopy.exe	rcviyqs.exe
PID 1784 wrote to memory of 1284	1784	swiftcopy.exe	rcviyqs.exe
PID 1784 wrote to memory of 1284	1784	swiftcopy.exe	rcviyqs.exe
PID 1784 wrote to memory of 1284	1784	swiftcopy.exe	rcviyqs.exe
PID 1284 wrote to memory of 1336	1284	rcviyqs.exe	rcviyqs.exe
PID 1284 wrote to memory of 1336	1284	rcviyqs.exe	rcviyqs.exe
PID 1284 wrote to memory of 1336	1284	rcviyqs.exe	rcviyqs.exe
PID 1284 wrote to memory of 1336	1284	rcviyqs.exe	rcviyqs.exe

C:\Users\Admin\AppData\Local\Temp\swiftcopy.exe
"C:\Users\Admin\AppData\Local\Temp\swiftcopy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv
3⤵
PID:1336

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ywlrkxvvx812p0hw00x
Filesize
163KB

MD5
4ed69a3c1f8ab690c2a2dca2afc8dded

SHA1
e39266fec1bb13a856a02f63a94ad0cbb5835379

SHA256
5ad0d54e33047f593130a63ba5b4d045b843de968c2ab09b3eab4b648b362901

SHA512
6d8a1f0b90e37f2bac77c07802c78524a26a9ac224f86ae6a06f6feef4b80752ae42eca728a8f0bdeb5a2b108c545f998f31d1ed0bd05176e6f94de88980cb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
Filesize
56KB

MD5
ca62620c3ef481629e95d16ed9ae0017

SHA1
4d2d3489edefc06534adcf79baba5b8444a12767

SHA256
071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6

SHA512
cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
Filesize
56KB

MD5
ca62620c3ef481629e95d16ed9ae0017

SHA1
4d2d3489edefc06534adcf79baba5b8444a12767

SHA256
071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6

SHA512
cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdjjwjv
Filesize
5KB

MD5
f6fed7693ed7d2d12d67639bcc14bc81

SHA1
c102b969911458ab547ff88a2f6bed088306621b

SHA256
60471f688a14618266cc6e77046711aad55d1679fea88170fd9250e1c24b59fc

SHA512
911c596347be043945d2670d7b66bd3d5a3885fe068c8cd19c5f5ed110d942630d91d992147f5fc9482043ab913ffcee29b9a83573dde8330ddb702ef3e50294

Download Submit
\Users\Admin\AppData\Local\Temp\rcviyqs.exe
Filesize
56KB

MD5
ca62620c3ef481629e95d16ed9ae0017

SHA1
4d2d3489edefc06534adcf79baba5b8444a12767

SHA256
071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6

SHA512
cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6

Download Submit
\Users\Admin\AppData\Local\Temp\rcviyqs.exe
Filesize
56KB

MD5
ca62620c3ef481629e95d16ed9ae0017

SHA1
4d2d3489edefc06534adcf79baba5b8444a12767

SHA256
071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6

SHA512
cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6

Download Submit
memory/1284-56-0x0000000000000000-mapping.dmp

Download
memory/1784-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download