27bce6bacf88feeacfd6067426c1eff4258d3a2ac3a1105dd6a1c93f65485d5c | Triage

Analysis

max time kernel
1049s
max time network
908s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-02-2023 16:38

Sharing

Report Analysis Logs

General

Target

Swift.exe
Size

64KB
MD5

c3dda199739ccc5699ea98f22eb1d0ba
SHA1

8ca42b38a4df27fbd18b060092009b1092f79932
SHA256

8cd3a69637a14aeb7a0db8c47a197e8cdee48d1c995b8ea848449b1f206a8d24
SHA512

828ebcaa0b8d7fbcb50768669921980ae389582ef25ea643541fa89a60d9c34639e170cc80eb378c56028b4ef1229141faa93f896b3c724f963139266c7c0dca
SSDEEP

768:M4OE/9oA9EfutLtTP44IuAgpjELM40LO6dusn04el:BOe9oA9EfKP4yFp+M40ymuL3l

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1908	1952	WerFault.exe	14

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1064	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	taskmgr.exe
Token: SeSecurityPrivilege	1064	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1064	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe
1064	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1908	1952	Swift.exe	28
PID 1952 wrote to memory of 1908	1952	Swift.exe	28
PID 1952 wrote to memory of 1908	1952	Swift.exe	28

C:\Users\Admin\AppData\Local\Temp\Swift.exe
"C:\Users\Admin\AppData\Local\Temp\Swift.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1952 -s 728
  2⤵
  - Program crash
  PID:1908

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1064-56-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1064-57-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1908-55-0x0000000000000000-mapping.dmp

Download
memory/1952-54-0x00000000012A0000-0x00000000012B4000-memory.dmp

Filesize
80KB

Download