e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d

General

Target

Swift Copy.exe
Size

626KB
MD5

ec980b2eaacb57ec35da3995f975d283
SHA1

76c281f8deffa691c07d822554d8dcf98fe59c3a
SHA256

e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d
SHA512

585c5576ea7c14029eaa43d2576c4c2b267c09bc34c283a5c52bc28628503db34594171da27c2beaa26ab0148fa9048d662656cfeb39d1b7fb315d9cbf5b572b
SSDEEP

12288:oGaG5jfdincG9udbntW3khdcm9SrwAlp0iIjavCyXTSJ3ykVZ/65LqRVNumB0:Br55Cudb03khdch5ImTTUykX/qLqRuy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	Swift Copy.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3784 set thread context of 4596	3784	Swift Copy.exe	98
PID 4596 set thread context of 3236	4596	Swift Copy.exe	50
PID 4596 set thread context of 3236	4596	Swift Copy.exe	50
PID 4596 set thread context of 3320	4596	Swift Copy.exe	103

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4596	Swift Copy.exe
4596	Swift Copy.exe
4596	Swift Copy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	Swift Copy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 4596	3784	Swift Copy.exe	98
PID 3784 wrote to memory of 4596	3784	Swift Copy.exe	98
PID 3784 wrote to memory of 4596	3784	Swift Copy.exe	98
PID 3784 wrote to memory of 4596	3784	Swift Copy.exe	98
PID 3784 wrote to memory of 4596	3784	Swift Copy.exe	98
PID 3784 wrote to memory of 4596	3784	Swift Copy.exe	98
PID 4596 wrote to memory of 3320	4596	Swift Copy.exe	103
PID 4596 wrote to memory of 3320	4596	Swift Copy.exe	103
PID 4596 wrote to memory of 3320	4596	Swift Copy.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3236
- C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      4⤵
      PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3236-21-0x000000000CE80000-0x000000000F03D000-memory.dmp

Filesize
33.7MB

Download
memory/3236-27-0x000000000F040000-0x0000000010EA0000-memory.dmp

Filesize
30.4MB

Download
memory/3320-30-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/3320-28-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/3784-15-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3784-11-0x0000000006B10000-0x0000000006B1C000-memory.dmp

Filesize
48KB

Download
memory/3784-6-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/3784-7-0x0000000005760000-0x0000000005778000-memory.dmp

Filesize
96KB

Download
memory/3784-8-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3784-9-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3784-10-0x0000000005BD0000-0x0000000005BDA000-memory.dmp

Filesize
40KB

Download
memory/3784-4-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3784-12-0x0000000008230000-0x00000000082AA000-memory.dmp

Filesize
488KB

Download
memory/3784-1-0x0000000000B30000-0x0000000000BD2000-memory.dmp

Filesize
648KB

Download
memory/3784-0-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3784-2-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/3784-3-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/3784-5-0x00000000055D0000-0x00000000055DA000-memory.dmp

Filesize
40KB

Download
memory/4596-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-20-0x0000000003700000-0x0000000003725000-memory.dmp

Filesize
148KB

Download
memory/4596-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-23-0x0000000003700000-0x0000000003725000-memory.dmp

Filesize
148KB

Download
memory/4596-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-26-0x0000000006D60000-0x0000000006D85000-memory.dmp

Filesize
148KB

Download
memory/4596-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-16-0x0000000000F60000-0x00000000012AA000-memory.dmp

Filesize
3.3MB

Download
memory/4596-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing