3de75ebc0dc781b50ffcf059bb55bd01955d6d5e859985302f97f9cdecb3dceb

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

333136f93e800e920a79e6a1a1e3e1f4.exe
Size

6.2MB
MD5

333136f93e800e920a79e6a1a1e3e1f4
SHA1

dbe32a9110777bca904f5a4a71acb79595f25360
SHA256

3de75ebc0dc781b50ffcf059bb55bd01955d6d5e859985302f97f9cdecb3dceb
SHA512

fe889aedcb782f99f1f6618a5a1677aed150ff88a88c7f132d82a485b9c5866967024a646c2b042ed66d19068cc5a855c241ab730bcd443eca49ed97223331b0
SSDEEP

98304:Xh3TZCHW46+ESLRLHtvmt00S3qQhB5YiMQHRNI4D3b9DolW1:Xh3tCB6+ESLlturQhBEiI4DL9Dom

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

handler.exe

pid process

2572 handler.exe
Loads dropped DLL 2 IoCs

Processes:

333136f93e800e920a79e6a1a1e3e1f4.exe

pid process

2876 333136f93e800e920a79e6a1a1e3e1f4.exe
2876 333136f93e800e920a79e6a1a1e3e1f4.exe

pid	process
2572	handler.exe

pid	process
2876	333136f93e800e920a79e6a1a1e3e1f4.exe
2876	333136f93e800e920a79e6a1a1e3e1f4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

333136f93e800e920a79e6a1a1e3e1f4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Swift Host Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Swift\\handler.exe"	333136f93e800e920a79e6a1a1e3e1f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

333136f93e800e920a79e6a1a1e3e1f4.exe

pid process

2876 333136f93e800e920a79e6a1a1e3e1f4.exe

pid	process
2876	333136f93e800e920a79e6a1a1e3e1f4.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

333136f93e800e920a79e6a1a1e3e1f4.exe

description	pid	process	target process
PID 2876 wrote to memory of 2572	2876	333136f93e800e920a79e6a1a1e3e1f4.exe	handler.exe
PID 2876 wrote to memory of 2572	2876	333136f93e800e920a79e6a1a1e3e1f4.exe	handler.exe
PID 2876 wrote to memory of 2572	2876	333136f93e800e920a79e6a1a1e3e1f4.exe	handler.exe
PID 2876 wrote to memory of 2572	2876	333136f93e800e920a79e6a1a1e3e1f4.exe	handler.exe

C:\Users\Admin\AppData\Local\Temp\333136f93e800e920a79e6a1a1e3e1f4.exe
"C:\Users\Admin\AppData\Local\Temp\333136f93e800e920a79e6a1a1e3e1f4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Roaming\Swift\handler.exe
"C:\Users\Admin\AppData\Roaming\Swift\handler.exe"
2⤵
- Executes dropped EXE
PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Swift\handler.exe
Filesize
355KB

MD5
84e6f64f899bfeb55fa64c5871de4ed7

SHA1
d8ce913a05d39cc086beaf43058b1ea4a9645430

SHA256
7416baa662c44701c5571d97967de41c33d06284d59f0a93bebc5684446436d5

SHA512
090255f81a5c7b4ef469664d41c9f4a66cdd8ed7d5bd8afc6a5fb8c7833ded18c47ff88fb59c3877fd29513f0d47ff6cbdfbd9cae84df91c1d756ee81bbca6f4

Download Submit
memory/2876-21-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2876-5-0x00000000010B0000-0x0000000001C57000-memory.dmp

Filesize
11.7MB

Download
memory/2876-16-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2876-14-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2876-7-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2876-11-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2876-9-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2876-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2876-47-0x00000000010B0000-0x0000000001C57000-memory.dmp

Filesize
11.7MB

Download
memory/2876-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2876-6-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2876-31-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2876-29-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2876-26-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2876-24-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2876-37-0x00000000010B0000-0x0000000001C57000-memory.dmp

Filesize
11.7MB

Download
memory/2876-2-0x00000000010B0000-0x0000000001C57000-memory.dmp

Filesize
11.7MB

Download
memory/2876-19-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download