e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift Copy.exe
Size

626KB
MD5

ec980b2eaacb57ec35da3995f975d283
SHA1

76c281f8deffa691c07d822554d8dcf98fe59c3a
SHA256

e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d
SHA512

585c5576ea7c14029eaa43d2576c4c2b267c09bc34c283a5c52bc28628503db34594171da27c2beaa26ab0148fa9048d662656cfeb39d1b7fb315d9cbf5b572b
SSDEEP

12288:oGaG5jfdincG9udbntW3khdcm9SrwAlp0iIjavCyXTSJ3ykVZ/65LqRVNumB0:Br55Cudb03khdch5ImTTUykX/qLqRuy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\International\Geo\Nation	Swift Copy.exe

Loads dropped DLL 1 IoCs

pid	Process
2532	cmmon32.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2620	2212	Swift Copy.exe	34
PID 2620 set thread context of 1252	2620	Swift Copy.exe	10
PID 2620 set thread context of 1252	2620	Swift Copy.exe	10
PID 2620 set thread context of 2532	2620	Swift Copy.exe	35
PID 2532 set thread context of 1252	2532	cmmon32.exe	10

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3849525425-30183055-657688904-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2212	Swift Copy.exe
2212	Swift Copy.exe
2212	Swift Copy.exe
2212	Swift Copy.exe
2620	Swift Copy.exe
2620	Swift Copy.exe
2620	Swift Copy.exe
2620	Swift Copy.exe
2620	Swift Copy.exe
2620	Swift Copy.exe
2620	Swift Copy.exe
2620	Swift Copy.exe
2620	Swift Copy.exe
2532	cmmon32.exe
2532	cmmon32.exe
2532	cmmon32.exe
2532	cmmon32.exe
2532	cmmon32.exe
2532	cmmon32.exe
2532	cmmon32.exe
2532	cmmon32.exe
2532	cmmon32.exe
2532	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1252	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2620	Swift Copy.exe
2620	Swift Copy.exe
2620	Swift Copy.exe
2532	cmmon32.exe
2532	cmmon32.exe
2532	cmmon32.exe
2532	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	Swift Copy.exe
Token: SeDebugPrivilege	2620	Swift Copy.exe
Token: SeDebugPrivilege	2532	cmmon32.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2612	2212	Swift Copy.exe	30
PID 2212 wrote to memory of 2612	2212	Swift Copy.exe	30
PID 2212 wrote to memory of 2612	2212	Swift Copy.exe	30
PID 2212 wrote to memory of 2612	2212	Swift Copy.exe	30
PID 2212 wrote to memory of 1880	2212	Swift Copy.exe	31
PID 2212 wrote to memory of 1880	2212	Swift Copy.exe	31
PID 2212 wrote to memory of 1880	2212	Swift Copy.exe	31
PID 2212 wrote to memory of 1880	2212	Swift Copy.exe	31
PID 2212 wrote to memory of 2744	2212	Swift Copy.exe	32
PID 2212 wrote to memory of 2744	2212	Swift Copy.exe	32
PID 2212 wrote to memory of 2744	2212	Swift Copy.exe	32
PID 2212 wrote to memory of 2744	2212	Swift Copy.exe	32
PID 2212 wrote to memory of 2720	2212	Swift Copy.exe	33
PID 2212 wrote to memory of 2720	2212	Swift Copy.exe	33
PID 2212 wrote to memory of 2720	2212	Swift Copy.exe	33
PID 2212 wrote to memory of 2720	2212	Swift Copy.exe	33
PID 2212 wrote to memory of 2620	2212	Swift Copy.exe	34
PID 2212 wrote to memory of 2620	2212	Swift Copy.exe	34
PID 2212 wrote to memory of 2620	2212	Swift Copy.exe	34
PID 2212 wrote to memory of 2620	2212	Swift Copy.exe	34
PID 2212 wrote to memory of 2620	2212	Swift Copy.exe	34
PID 2212 wrote to memory of 2620	2212	Swift Copy.exe	34
PID 2212 wrote to memory of 2620	2212	Swift Copy.exe	34
PID 2620 wrote to memory of 2532	2620	Swift Copy.exe	35
PID 2620 wrote to memory of 2532	2620	Swift Copy.exe	35
PID 2620 wrote to memory of 2532	2620	Swift Copy.exe	35
PID 2620 wrote to memory of 2532	2620	Swift Copy.exe	35
PID 2532 wrote to memory of 472	2532	cmmon32.exe	38
PID 2532 wrote to memory of 472	2532	cmmon32.exe	38
PID 2532 wrote to memory of 472	2532	cmmon32.exe	38
PID 2532 wrote to memory of 472	2532	cmmon32.exe	38
PID 2532 wrote to memory of 472	2532	cmmon32.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1252
- C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
    3⤵
    PID:2612
- - C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
    3⤵
    PID:1880
- - C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
    3⤵
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
    3⤵
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        5⤵
        
        PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c4nxwd.zip

Filesize
489KB

MD5
910ae9fbda13a82f9410303b653fe0c6

SHA1
3de02829408f5320b01e4209c79cf4a9d45cde86

SHA256
11ba415b7e3b91c4587dc73bec82caf92f62724d0e49782151e7764acca43cb5

SHA512
a7564409603dec6184920aed608024db319e8548b872a022eecd91501c12da2fde5fab5b6ce6772f1ba5724cce9151ce79214bed5cb3b13d39e5e9ea254e51b0

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
932KB

MD5
661fd92d4eaeea3740649af5a484d7c8

SHA1
c93f868890fee1475f8ec9e7607e26f5dce67d54

SHA256
58a478f0560ea22c1bc194263f07cf6f3ecfe47d0c8b534a7bba185f28a1141f

SHA512
1fac03c20139fde41d121e0adbd02d127261ce061509996087fc1c80baf2fe0d0f70fed6b83d38a85cfa2e07d038ff809161c7ecce31ec44ac8b89740d3db15d

Download Submit
memory/1252-34-0x0000000004E70000-0x0000000004F70000-memory.dmp

Filesize
1024KB

Download
memory/1252-26-0x000000000BC60000-0x000000000C887000-memory.dmp

Filesize
12.2MB

Download
memory/1252-37-0x0000000004E70000-0x0000000004F70000-memory.dmp

Filesize
1024KB

Download
memory/1252-33-0x0000000004E70000-0x0000000004F70000-memory.dmp

Filesize
1024KB

Download
memory/1252-20-0x00000000091E0000-0x000000000BC58000-memory.dmp

Filesize
42.5MB

Download
memory/2212-6-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2212-8-0x0000000005150000-0x00000000051CA000-memory.dmp

Filesize
488KB

Download
memory/2212-2-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/2212-0-0x0000000000230000-0x00000000002D2000-memory.dmp

Filesize
648KB

Download
memory/2212-14-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-7-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2212-3-0x00000000005B0000-0x00000000005C8000-memory.dmp

Filesize
96KB

Download
memory/2212-5-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/2212-4-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-1-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-30-0x0000000002070000-0x0000000002373000-memory.dmp

Filesize
3.0MB

Download
memory/2532-27-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2532-35-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2532-36-0x0000000000960000-0x0000000000A04000-memory.dmp

Filesize
656KB

Download
memory/2532-32-0x0000000000960000-0x0000000000A04000-memory.dmp

Filesize
656KB

Download
memory/2532-31-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2532-76-0x0000000061E00000-0x0000000061ED3000-memory.dmp

Filesize
844KB

Download
memory/2532-28-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2532-79-0x0000000061E00000-0x0000000061ED3000-memory.dmp

Filesize
844KB

Download
memory/2620-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-25-0x0000000000350000-0x0000000000375000-memory.dmp

Filesize
148KB

Download
memory/2620-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-23-0x00000000002E0000-0x0000000000305000-memory.dmp

Filesize
148KB

Download
memory/2620-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-19-0x00000000002E0000-0x0000000000305000-memory.dmp

Filesize
148KB

Download
memory/2620-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-15-0x0000000000B80000-0x0000000000E83000-memory.dmp

Filesize
3.0MB

Download
memory/2620-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2620-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download