Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 13:39
Static task
static1
Behavioral task
behavioral1
Sample
333136f93e800e920a79e6a1a1e3e1f4.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
333136f93e800e920a79e6a1a1e3e1f4.exe
Resource
win10v2004-20240226-en
General
-
Target
333136f93e800e920a79e6a1a1e3e1f4.exe
-
Size
6.2MB
-
MD5
333136f93e800e920a79e6a1a1e3e1f4
-
SHA1
dbe32a9110777bca904f5a4a71acb79595f25360
-
SHA256
3de75ebc0dc781b50ffcf059bb55bd01955d6d5e859985302f97f9cdecb3dceb
-
SHA512
fe889aedcb782f99f1f6618a5a1677aed150ff88a88c7f132d82a485b9c5866967024a646c2b042ed66d19068cc5a855c241ab730bcd443eca49ed97223331b0
-
SSDEEP
98304:Xh3TZCHW46+ESLRLHtvmt00S3qQhB5YiMQHRNI4D3b9DolW1:Xh3tCB6+ESLlturQhBEiI4DL9Dom
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
handler.exepid process 2572 handler.exe -
Loads dropped DLL 2 IoCs
Processes:
333136f93e800e920a79e6a1a1e3e1f4.exepid process 2876 333136f93e800e920a79e6a1a1e3e1f4.exe 2876 333136f93e800e920a79e6a1a1e3e1f4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
333136f93e800e920a79e6a1a1e3e1f4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Swift Host Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Swift\\handler.exe" 333136f93e800e920a79e6a1a1e3e1f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
333136f93e800e920a79e6a1a1e3e1f4.exepid process 2876 333136f93e800e920a79e6a1a1e3e1f4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
333136f93e800e920a79e6a1a1e3e1f4.exedescription pid process target process PID 2876 wrote to memory of 2572 2876 333136f93e800e920a79e6a1a1e3e1f4.exe handler.exe PID 2876 wrote to memory of 2572 2876 333136f93e800e920a79e6a1a1e3e1f4.exe handler.exe PID 2876 wrote to memory of 2572 2876 333136f93e800e920a79e6a1a1e3e1f4.exe handler.exe PID 2876 wrote to memory of 2572 2876 333136f93e800e920a79e6a1a1e3e1f4.exe handler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\333136f93e800e920a79e6a1a1e3e1f4.exe"C:\Users\Admin\AppData\Local\Temp\333136f93e800e920a79e6a1a1e3e1f4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Roaming\Swift\handler.exe"C:\Users\Admin\AppData\Roaming\Swift\handler.exe"2⤵
- Executes dropped EXE
PID:2572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
355KB
MD584e6f64f899bfeb55fa64c5871de4ed7
SHA1d8ce913a05d39cc086beaf43058b1ea4a9645430
SHA2567416baa662c44701c5571d97967de41c33d06284d59f0a93bebc5684446436d5
SHA512090255f81a5c7b4ef469664d41c9f4a66cdd8ed7d5bd8afc6a5fb8c7833ded18c47ff88fb59c3877fd29513f0d47ff6cbdfbd9cae84df91c1d756ee81bbca6f4