Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03/10/2023, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Swift Copy.exe
Resource
win10v2004-20230915-en
General
-
Target
Swift Copy.exe
-
Size
626KB
-
MD5
ec980b2eaacb57ec35da3995f975d283
-
SHA1
76c281f8deffa691c07d822554d8dcf98fe59c3a
-
SHA256
e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d
-
SHA512
585c5576ea7c14029eaa43d2576c4c2b267c09bc34c283a5c52bc28628503db34594171da27c2beaa26ab0148fa9048d662656cfeb39d1b7fb315d9cbf5b572b
-
SSDEEP
12288:oGaG5jfdincG9udbntW3khdcm9SrwAlp0iIjavCyXTSJ3ykVZ/65LqRVNumB0:Br55Cudb03khdch5ImTTUykX/qLqRuy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Control Panel\International\Geo\Nation Swift Copy.exe -
Loads dropped DLL 1 IoCs
pid Process 2980 ipconfig.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1196 set thread context of 2760 1196 Swift Copy.exe 30 PID 2760 set thread context of 1200 2760 Swift Copy.exe 16 PID 2760 set thread context of 1200 2760 Swift Copy.exe 16 PID 2760 set thread context of 2980 2760 Swift Copy.exe 31 PID 2980 set thread context of 1200 2980 ipconfig.exe 16 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2980 ipconfig.exe -
description ioc Process Key created \Registry\User\S-1-5-21-86725733-3001458681-3405935542-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2760 Swift Copy.exe 2760 Swift Copy.exe 2760 Swift Copy.exe 2760 Swift Copy.exe 2760 Swift Copy.exe 2760 Swift Copy.exe 2760 Swift Copy.exe 2760 Swift Copy.exe 2760 Swift Copy.exe 2980 ipconfig.exe 2980 ipconfig.exe 2980 ipconfig.exe 2980 ipconfig.exe 2980 ipconfig.exe 2980 ipconfig.exe 2980 ipconfig.exe 2980 ipconfig.exe 2980 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1200 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2760 Swift Copy.exe 2760 Swift Copy.exe 2760 Swift Copy.exe 2980 ipconfig.exe 2980 ipconfig.exe 2980 ipconfig.exe 2980 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2760 Swift Copy.exe Token: SeDebugPrivilege 2980 ipconfig.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1196 wrote to memory of 2760 1196 Swift Copy.exe 30 PID 1196 wrote to memory of 2760 1196 Swift Copy.exe 30 PID 1196 wrote to memory of 2760 1196 Swift Copy.exe 30 PID 1196 wrote to memory of 2760 1196 Swift Copy.exe 30 PID 1196 wrote to memory of 2760 1196 Swift Copy.exe 30 PID 1196 wrote to memory of 2760 1196 Swift Copy.exe 30 PID 1196 wrote to memory of 2760 1196 Swift Copy.exe 30 PID 2760 wrote to memory of 2980 2760 Swift Copy.exe 31 PID 2760 wrote to memory of 2980 2760 Swift Copy.exe 31 PID 2760 wrote to memory of 2980 2760 Swift Copy.exe 31 PID 2760 wrote to memory of 2980 2760 Swift Copy.exe 31 PID 2980 wrote to memory of 108 2980 ipconfig.exe 34 PID 2980 wrote to memory of 108 2980 ipconfig.exe 34 PID 2980 wrote to memory of 108 2980 ipconfig.exe 34 PID 2980 wrote to memory of 108 2980 ipconfig.exe 34 PID 2980 wrote to memory of 108 2980 ipconfig.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵PID:108
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD5d113a47c6ac162a76d78c817aeb57755
SHA1f301cea25c2032dd67ffbd21242b209f0ee70ee2
SHA256bae32df8fa24a3e55bcc1591e09918259173f870090e2ae775509edb8b893eb4
SHA512ba64e248ee75fa43cae60c1e0815c512f89eabc140b35aa696d428a3f5d328db04981c0f500b78211bbfd9087ba678328c8ad63ac51249062900693a1d399178
-
Filesize
1.1MB
MD5f55e5766477de5997da50f12c9c74c91
SHA14dc98900a887be95411f07b9e597c57bdc7dbab3
SHA25690be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69
SHA512983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05