ba4e91818b6dd6baa9c8465feaf72c0de6b50f884df80ae72de722c21096ff32

General

Target

Swift Copy.scr.exe
Size

883KB
MD5

4e67c14112dfea946256c56695b85b06
SHA1

d2836d2fd3f1a23da0aacca6e8c94e0d22820a50
SHA256

ba4e91818b6dd6baa9c8465feaf72c0de6b50f884df80ae72de722c21096ff32
SHA512

9106edd843a2efe7cdcc7a508634e73874be6aa7f6cdf3ab113ea9a0536f8297abf70911ab572aa60a11dcea4ab24c4bca6830709cae45147c6af961e49b917f
SSDEEP

24576:JksxENl6bP9Ra9gU3cRlTv07ye7PYHC+HFJGJWYKBKeGp:JkmENl6bPO9gU3cR76y1OJhEKX

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 2536	2972	Swift Copy.scr.exe	29
PID 2536 set thread context of 1224	2536	RegSvcs.exe	21
PID 2536 set thread context of 2352	2536	RegSvcs.exe	31
PID 2352 set thread context of 1224	2352	newdev.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2972	Swift Copy.scr.exe
2972	Swift Copy.scr.exe
2536	RegSvcs.exe
2536	RegSvcs.exe
2536	RegSvcs.exe
2568	powershell.exe
2536	RegSvcs.exe
2536	RegSvcs.exe
2536	RegSvcs.exe
2536	RegSvcs.exe
2536	RegSvcs.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe
2352	newdev.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2536	RegSvcs.exe
1224	Explorer.EXE
1224	Explorer.EXE
2352	newdev.exe
2352	newdev.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	Swift Copy.scr.exe
Token: SeDebugPrivilege	2568	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2568	2972	Swift Copy.scr.exe	28
PID 2972 wrote to memory of 2568	2972	Swift Copy.scr.exe	28
PID 2972 wrote to memory of 2568	2972	Swift Copy.scr.exe	28
PID 2972 wrote to memory of 2568	2972	Swift Copy.scr.exe	28
PID 2972 wrote to memory of 2536	2972	Swift Copy.scr.exe	29
PID 2972 wrote to memory of 2536	2972	Swift Copy.scr.exe	29
PID 2972 wrote to memory of 2536	2972	Swift Copy.scr.exe	29
PID 2972 wrote to memory of 2536	2972	Swift Copy.scr.exe	29
PID 2972 wrote to memory of 2536	2972	Swift Copy.scr.exe	29
PID 2972 wrote to memory of 2536	2972	Swift Copy.scr.exe	29
PID 2972 wrote to memory of 2536	2972	Swift Copy.scr.exe	29
PID 2972 wrote to memory of 2536	2972	Swift Copy.scr.exe	29
PID 2972 wrote to memory of 2536	2972	Swift Copy.scr.exe	29
PID 2972 wrote to memory of 2536	2972	Swift Copy.scr.exe	29
PID 1224 wrote to memory of 2352	1224	Explorer.EXE	31
PID 1224 wrote to memory of 2352	1224	Explorer.EXE	31
PID 1224 wrote to memory of 2352	1224	Explorer.EXE	31
PID 1224 wrote to memory of 2352	1224	Explorer.EXE	31
PID 1224 wrote to memory of 2352	1224	Explorer.EXE	31
PID 1224 wrote to memory of 2352	1224	Explorer.EXE	31
PID 1224 wrote to memory of 2352	1224	Explorer.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\Swift Copy.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift Copy.scr.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift Copy.scr.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2536
- C:\Windows\SysWOW64\newdev.exe
  "C:\Windows\SysWOW64\newdev.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1224-27-0x0000000003B00000-0x0000000003C00000-memory.dmp

Filesize
1024KB

Download
memory/1224-37-0x0000000008E10000-0x000000000A213000-memory.dmp

Filesize
20.0MB

Download
memory/1224-29-0x0000000008E10000-0x000000000A213000-memory.dmp

Filesize
20.0MB

Download
memory/2352-38-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2352-36-0x0000000000610000-0x00000000006B0000-memory.dmp

Filesize
640KB

Download
memory/2352-35-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2352-34-0x0000000002500000-0x0000000002803000-memory.dmp

Filesize
3.0MB

Download
memory/2352-31-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2352-30-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2536-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-33-0x00000000004F0000-0x0000000000511000-memory.dmp

Filesize
132KB

Download
memory/2536-15-0x0000000000790000-0x0000000000A93000-memory.dmp

Filesize
3.0MB

Download
memory/2536-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-28-0x00000000004F0000-0x0000000000511000-memory.dmp

Filesize
132KB

Download
memory/2536-26-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-23-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-22-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2568-21-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2568-20-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2568-18-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-19-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-6-0x0000000005170000-0x0000000005214000-memory.dmp

Filesize
656KB

Download
memory/2972-0-0x0000000000330000-0x0000000000414000-memory.dmp

Filesize
912KB

Download
memory/2972-14-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-5-0x00000000007A0000-0x00000000007AE000-memory.dmp

Filesize
56KB

Download
memory/2972-4-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/2972-3-0x0000000000710000-0x000000000072C000-memory.dmp

Filesize
112KB

Download
memory/2972-2-0x00000000046D0000-0x0000000004710000-memory.dmp

Filesize
256KB

Download
memory/2972-1-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing