d8df70587d4b8949c88b3eb4324a66ac4b5b8ce9ea8e236c599431263069aa85

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2023 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift Copy.exe
Size

273KB
MD5

f30ceb259770f1610b1a260eb8ace7fb
SHA1

52acc659712baef11861eb17c3426f4868d4a4a5
SHA256

d8df70587d4b8949c88b3eb4324a66ac4b5b8ce9ea8e236c599431263069aa85
SHA512

cb646f2675c17cb95b9efa74a8bf09ccf9f8aa0e331e0736f44cbbd1f28691016d72f0737dcc2bf1bc47fd25953827cbe5ca187858ea05f7a45639f2df75e9ee
SSDEEP

6144:/Ya6F9TqqF+fVNjLnpSqTSE6JdgdehxYwSbZOPPYBkgom:/YX9TqC+tZL7TSE0dEQxYweOHIlom

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	Swift Copy.exe

Loads dropped DLL 1 IoCs

pid	Process
4764	Swift Copy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4764 set thread context of 4380	4764	Swift Copy.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe
4380	Swift Copy.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4764	Swift Copy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	Swift Copy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4380	4764	Swift Copy.exe	86
PID 4764 wrote to memory of 4380	4764	Swift Copy.exe	86
PID 4764 wrote to memory of 4380	4764	Swift Copy.exe	86
PID 4764 wrote to memory of 4380	4764	Swift Copy.exe	86

C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi6738.tmp\utcogk.dll

Filesize
51KB

MD5
ade60ad2cebc621e4ad93f4eb172c8db

SHA1
0a3e28acab7b2547fe4834ed6e397b0e61a4b3a7

SHA256
ff5e7277eda02b2d45a1a5523991db5bdb121a515e5bd8bd50e00ffb451c6ae5

SHA512
3cf9a29241375f83a72a1ecd64706ba3ba7099aa38e4d2723b005da5194b215a76703fb152970c8a59ce4327cf64e2ff8d8d14efa0b0dc6758ca95ed345c02f2

Download Submit
memory/4380-140-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4380-142-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4380-143-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4380-144-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4380-145-0x00000000009E0000-0x0000000000D2A000-memory.dmp

Filesize
3.3MB

Download
memory/4380-146-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4764-139-0x00000000749B0000-0x00000000749C2000-memory.dmp

Filesize
72KB

Download
memory/4764-141-0x00000000749B0000-0x00000000749C2000-memory.dmp

Filesize
72KB

Download