Analysis
-
max time kernel
1799s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/04/2023, 21:56
Behavioral task
behavioral1
Sample
Swiftfn.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
Swiftfn.exe
Resource
win7-20230220-en
General
-
Target
Swiftfn.exe
-
Size
47KB
-
MD5
25d7952b3e8c9f0872ecf4f099cea1a2
-
SHA1
976e307d3fc015452e70acd29ebddef0d8823fac
-
SHA256
7fb468df5b46d1eb0f26e737c515a5a10794b84c9193628efb71c9c32fe8edc1
-
SHA512
f81102833efd450be231d238f3065cf3d5cb9ae6c60f0a4e6b057ffd4c78a2767b0fd8aff54e0bb08ebdf5b5da293f622e68c4874776f0fa25adfd639ca4f3eb
-
SSDEEP
768:sJCO9ILoeck+riPUl5kJN/QisVF8YbWgTgDaJivEgK/JDqVc6KN:sJ588kqFzbJga4nkJDqVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
dom45x.duckdns.org:62180
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
Runtime Broker.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral3/memory/4644-133-0x0000000000A60000-0x0000000000A72000-memory.dmp asyncrat behavioral3/files/0x0003000000000729-141.dat asyncrat behavioral3/files/0x0003000000000729-142.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation Swiftfn.exe -
Executes dropped EXE 1 IoCs
pid Process 3516 Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1692 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2044 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe 4644 Swiftfn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4644 Swiftfn.exe Token: SeDebugPrivilege 3516 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4644 wrote to memory of 3344 4644 Swiftfn.exe 84 PID 4644 wrote to memory of 3344 4644 Swiftfn.exe 84 PID 4644 wrote to memory of 4780 4644 Swiftfn.exe 86 PID 4644 wrote to memory of 4780 4644 Swiftfn.exe 86 PID 3344 wrote to memory of 1692 3344 cmd.exe 88 PID 3344 wrote to memory of 1692 3344 cmd.exe 88 PID 4780 wrote to memory of 2044 4780 cmd.exe 89 PID 4780 wrote to memory of 2044 4780 cmd.exe 89 PID 4780 wrote to memory of 3516 4780 cmd.exe 90 PID 4780 wrote to memory of 3516 4780 cmd.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swiftfn.exe"C:\Users\Admin\AppData\Local\Temp\Swiftfn.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'3⤵
- Creates scheduled task(s)
PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp93C9.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2044
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD530d29a897c96ae8e74b716f338af59d3
SHA190f1e28173c267a6467d6712cb27e0dfdbffbf18
SHA2568f66e0f5d39d0d88efbf9d3063ce2348baf9b6339fbef52be56e9601ed989051
SHA512d8fd19b771a86b79bd86bf0bddce4387cf1ac740448bdf8d9fef8a099eb79f18c6229a4e2dc788ffe2d851c202a89338f7a7dcafcf9ce0e66c2bf6176550c332
-
Filesize
47KB
MD525d7952b3e8c9f0872ecf4f099cea1a2
SHA1976e307d3fc015452e70acd29ebddef0d8823fac
SHA2567fb468df5b46d1eb0f26e737c515a5a10794b84c9193628efb71c9c32fe8edc1
SHA512f81102833efd450be231d238f3065cf3d5cb9ae6c60f0a4e6b057ffd4c78a2767b0fd8aff54e0bb08ebdf5b5da293f622e68c4874776f0fa25adfd639ca4f3eb
-
Filesize
47KB
MD525d7952b3e8c9f0872ecf4f099cea1a2
SHA1976e307d3fc015452e70acd29ebddef0d8823fac
SHA2567fb468df5b46d1eb0f26e737c515a5a10794b84c9193628efb71c9c32fe8edc1
SHA512f81102833efd450be231d238f3065cf3d5cb9ae6c60f0a4e6b057ffd4c78a2767b0fd8aff54e0bb08ebdf5b5da293f622e68c4874776f0fa25adfd639ca4f3eb