Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/04/2023, 21:52
Behavioral task
behavioral1
Sample
Swiftfn.exe
Resource
win7-20230220-en
General
-
Target
Swiftfn.exe
-
Size
47KB
-
MD5
25d7952b3e8c9f0872ecf4f099cea1a2
-
SHA1
976e307d3fc015452e70acd29ebddef0d8823fac
-
SHA256
7fb468df5b46d1eb0f26e737c515a5a10794b84c9193628efb71c9c32fe8edc1
-
SHA512
f81102833efd450be231d238f3065cf3d5cb9ae6c60f0a4e6b057ffd4c78a2767b0fd8aff54e0bb08ebdf5b5da293f622e68c4874776f0fa25adfd639ca4f3eb
-
SSDEEP
768:sJCO9ILoeck+riPUl5kJN/QisVF8YbWgTgDaJivEgK/JDqVc6KN:sJ588kqFzbJga4nkJDqVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
dom45x.duckdns.org:62180
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
Runtime Broker.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1820-133-0x0000000000850000-0x0000000000862000-memory.dmp asyncrat behavioral2/files/0x0008000000021639-141.dat asyncrat behavioral2/files/0x0008000000021639-142.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation Swiftfn.exe -
Executes dropped EXE 1 IoCs
pid Process 4452 Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2240 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1460 timeout.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E Runtime Broker.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E\Blob = 0f000000010000003000000082c80199397722b57ad473ea266b93d47ffc77fe07f09388345f20dab6addd087672f988b4bbfd154c4b133c70c9ecff0300000001000000140000007e04de896a3e666d00e687d33ffad93be83d349e1d0000000100000010000000d0ab39edd1a4d89a5512882deb09cb13140000000100000014000000b3db48a4f9a1c5d8ae3641cc1163696229bc4bc662000000010000002000000031ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d00b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f0074002000470033000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c05c0000000100000004000000800100002000000001000000430200003082023f308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082a8648ce3d0403033061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f742047333076301006072a8648ce3d020106052b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb543ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4f9a1c5d8ae3641cc1163696229bc4bc6300a06082a8648ce3d0403030368003065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e29ae55b7cb32717 Runtime Broker.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 1820 Swiftfn.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1820 Swiftfn.exe Token: SeDebugPrivilege 4452 Runtime Broker.exe Token: SeDebugPrivilege 4212 taskmgr.exe Token: SeSystemProfilePrivilege 4212 taskmgr.exe Token: SeCreateGlobalPrivilege 4212 taskmgr.exe Token: 33 4212 taskmgr.exe Token: SeIncBasePriorityPrivilege 4212 taskmgr.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe -
Suspicious use of SendNotifyMessage 41 IoCs
pid Process 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe 4212 taskmgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1820 wrote to memory of 3944 1820 Swiftfn.exe 85 PID 1820 wrote to memory of 3944 1820 Swiftfn.exe 85 PID 1820 wrote to memory of 228 1820 Swiftfn.exe 87 PID 1820 wrote to memory of 228 1820 Swiftfn.exe 87 PID 228 wrote to memory of 1460 228 cmd.exe 89 PID 228 wrote to memory of 1460 228 cmd.exe 89 PID 3944 wrote to memory of 2240 3944 cmd.exe 90 PID 3944 wrote to memory of 2240 3944 cmd.exe 90 PID 228 wrote to memory of 4452 228 cmd.exe 91 PID 228 wrote to memory of 4452 228 cmd.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swiftfn.exe"C:\Users\Admin\AppData\Local\Temp\Swiftfn.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'3⤵
- Creates scheduled task(s)
PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDDE1.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1460
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD5790a6381e2ecbda785cbd8c83e2c6ac3
SHA181520165554b05e4b57a7361e62726795d891019
SHA2562c9a846d04fefaeaa6cc26498514b2594f299b33e617b4a385a37453c7092015
SHA5124be5d4b1ea824d998c725ca683a68f4ad479b0d00cd543385b077649ea9a4e8a8b4bddb20da2db6caf3d56ce9000996f5cb4476e7ea4e01c4559b4082f5b2007
-
Filesize
47KB
MD525d7952b3e8c9f0872ecf4f099cea1a2
SHA1976e307d3fc015452e70acd29ebddef0d8823fac
SHA2567fb468df5b46d1eb0f26e737c515a5a10794b84c9193628efb71c9c32fe8edc1
SHA512f81102833efd450be231d238f3065cf3d5cb9ae6c60f0a4e6b057ffd4c78a2767b0fd8aff54e0bb08ebdf5b5da293f622e68c4874776f0fa25adfd639ca4f3eb
-
Filesize
47KB
MD525d7952b3e8c9f0872ecf4f099cea1a2
SHA1976e307d3fc015452e70acd29ebddef0d8823fac
SHA2567fb468df5b46d1eb0f26e737c515a5a10794b84c9193628efb71c9c32fe8edc1
SHA512f81102833efd450be231d238f3065cf3d5cb9ae6c60f0a4e6b057ffd4c78a2767b0fd8aff54e0bb08ebdf5b5da293f622e68c4874776f0fa25adfd639ca4f3eb