Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2023, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
Swift TT Copy pdf.exe
Resource
win7-20230712-en
General
-
Target
Swift TT Copy pdf.exe
-
Size
274KB
-
MD5
becff9b703669062005159bd35dc315d
-
SHA1
042b87bb8d7f28e363a6f3de67d37b0cd4fdd1b9
-
SHA256
91407535cc5852ecae7889b9f034920694c733c9e47f89d08a470e32b9d31e13
-
SHA512
b68c24cd100e8b9a7c3972a22b13da4b75305cc433b4a083a4762228795f257b0a769497dde755f828bd53416b0d1ba93bfd5182922ff57ff7cf16e57f5c4cb4
-
SSDEEP
6144:PYa6x92BX0wKPBAfBiyrTOfYJVL2hTRiZQd:PYj9S0RPYHrbVL2h/d
Malware Config
Extracted
formbook
4.1
sn26
resenha10.bet
gulshan-rajput.com
xbus.tech
z813my.cfd
wlxzjlny.cfd
auntengotiempo.com
canada-reservation.com
thegiftcompany.shop
esthersilveirapropiedades.com
1wapws.top
ymjblnvo.cfd
termokimik.net
kushiro-artist-school.com
bmmboo.com
caceresconstructionservices.com
kentuckywalkabout.com
bringyourcart.com
miamiwinetour.com
bobcatsocial.site
thirdmind.network
4tbbwa.com
rhinosecurellc.net
rdparadise.com
radpm.xyz
thewhiteorchidspa.com
clhynfco.cfd
ngohcvja.cfd
woodennickelcandles.com
gg18rb.cfd
qcdrxwr.cfd
974dp.com
lagardere-vivendi-corp.net
chestnutmaretraining.com
seosjekk.online
ahevrlh.xyz
uedam.xyz
natrada.love
yoywvfw.top
unifiedtradingjapan.com
chinakaldi.com
agenciacolmeiadigital.com
wdlzzfkc.cfd
097850.com
xingcansy.com
uahrbqtj.cfd
charliehaywood.com
witheres.shop
sqiyvdrx.cfd
biopfizer.com
tiktokviewer.com
prftwgmw.cfd
sfsdnwpf.cfd
linkboladewahub.xyz
orvados.com
goodshepherdopcesva.com
christianlovewv.com
cdicontrols.com
hawskio26.click
ownlegalhelp.com
tiydmdzp.cfd
ppirr.biz
stonyatrick.com
itsamazingbarley.com
msjbaddf.cfd
zachmahl.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/1576-140-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1576-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3340-150-0x0000000000600000-0x000000000062F000-memory.dmp formbook behavioral2/memory/3340-152-0x0000000000600000-0x000000000062F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
pid Process 2796 Swift TT Copy pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2796 set thread context of 1576 2796 Swift TT Copy pdf.exe 83 PID 1576 set thread context of 3132 1576 Swift TT Copy pdf.exe 52 PID 3340 set thread context of 3132 3340 cscript.exe 52 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1576 Swift TT Copy pdf.exe 1576 Swift TT Copy pdf.exe 1576 Swift TT Copy pdf.exe 1576 Swift TT Copy pdf.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe 3340 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3132 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2796 Swift TT Copy pdf.exe 1576 Swift TT Copy pdf.exe 1576 Swift TT Copy pdf.exe 1576 Swift TT Copy pdf.exe 3340 cscript.exe 3340 cscript.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1576 Swift TT Copy pdf.exe Token: SeDebugPrivilege 3340 cscript.exe Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2796 wrote to memory of 1576 2796 Swift TT Copy pdf.exe 83 PID 2796 wrote to memory of 1576 2796 Swift TT Copy pdf.exe 83 PID 2796 wrote to memory of 1576 2796 Swift TT Copy pdf.exe 83 PID 2796 wrote to memory of 1576 2796 Swift TT Copy pdf.exe 83 PID 3132 wrote to memory of 3340 3132 Explorer.EXE 84 PID 3132 wrote to memory of 3340 3132 Explorer.EXE 84 PID 3132 wrote to memory of 3340 3132 Explorer.EXE 84 PID 3340 wrote to memory of 2288 3340 cscript.exe 89 PID 3340 wrote to memory of 2288 3340 cscript.exe 89 PID 3340 wrote to memory of 2288 3340 cscript.exe 89
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\Swift TT Copy pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift TT Copy pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\Swift TT Copy pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift TT Copy pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Swift TT Copy pdf.exe"3⤵PID:2288
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD541ddf10747e14890df75b10f8cd48a66
SHA13b819381b137ef0af1ff4d8cb21651756e8088fb
SHA25638b2ce7071de654c0b50c22fd5fa18dce6add7b17631d6f0be926520f23f5e75
SHA512b880ae952b8b104ee16475f538fdd97fddefc0015a6755b43d467b9a231c416e513f1f3c758c9e53b5c141c6bdc00f1af9d95834060a7f554587361ee24e64d6