Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 07:00

General

  • Target

    Swift Copy.exe

  • Size

    49KB

  • MD5

    fadef7ce43e9627a752d03a41e71ee41

  • SHA1

    f8a9907fdb73ca4b162b20a79d9384ab5277af31

  • SHA256

    80762425adc5f24b5c7be359dd4cb7c1c657bb21f0304dcb89eb6bd6d8d8e0da

  • SHA512

    764ddce479431043510647f95fb376be3b62bc7e6283173c9d7849130335a8daa2aad2b86e8a7693cd5c92c1b94e809cf1a0ec1ecbb2fb6c196d1764a0a9a081

  • SSDEEP

    768:P1YSqVwQ8rD6pSg12mkQu3MyoELiym7/FDFTNxIrgBjv5VQ6:PyeQkDxtcyJm7tk0jv5VJ

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sr62

Decoy

pizzaperol.com

brooklynlearningstudio.com

legendlearningacghy.net

xtlg3i19o7czkv4.buzz

outdoorsproducts.xyz

nissanthanhhoa.com

mtviewproservices.com

tichris.com

monopolygo.llc

engagemaxmail.com

supremeinsure.com

2018b7.com

tedxkarunyauniversity.com

vaishnaviyoga.in

goddessoffetish.com

dazewu.com

844385.autos

caluxio.com

restaurantlataberna.com

charlieahunter.com

Signatures

  • Detect ZGRat V1 34 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Formbook payload 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
      "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
        "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3560
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:404
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
        3⤵
          PID:4896
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8
      1⤵
        PID:4544

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/404-4903-0x0000000000210000-0x0000000000267000-memory.dmp

        Filesize

        348KB

      • memory/3492-4900-0x00000000027A0000-0x00000000028B3000-memory.dmp

        Filesize

        1.1MB

      • memory/3492-4916-0x0000000002B10000-0x0000000002BCC000-memory.dmp

        Filesize

        752KB

      • memory/3492-4911-0x0000000002B10000-0x0000000002BCC000-memory.dmp

        Filesize

        752KB

      • memory/3492-4906-0x00000000027A0000-0x00000000028B3000-memory.dmp

        Filesize

        1.1MB

      • memory/3560-4894-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3560-4896-0x0000000001030000-0x000000000137A000-memory.dmp

        Filesize

        3.3MB

      • memory/3560-4899-0x0000000000E30000-0x0000000000E44000-memory.dmp

        Filesize

        80KB

      • memory/3560-4898-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4592-51-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-37-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-9-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-13-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-11-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-27-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-33-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-43-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-65-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-67-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-69-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-63-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-61-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-59-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-57-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-55-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-53-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-4-0x0000000009330000-0x00000000098D4000-memory.dmp

        Filesize

        5.6MB

      • memory/4592-49-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-47-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-45-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-41-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-39-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-5-0x0000000008E20000-0x0000000008EB2000-memory.dmp

        Filesize

        584KB

      • memory/4592-35-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-31-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-29-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-25-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-23-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-21-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-19-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-17-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-15-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-7-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-6-0x0000000008B40000-0x0000000008D78000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-4886-0x00000000749E0000-0x0000000075190000-memory.dmp

        Filesize

        7.7MB

      • memory/4592-4888-0x0000000005D50000-0x0000000005D9C000-memory.dmp

        Filesize

        304KB

      • memory/4592-4887-0x0000000005EB0000-0x0000000005F2A000-memory.dmp

        Filesize

        488KB

      • memory/4592-3-0x0000000008B40000-0x0000000008D7E000-memory.dmp

        Filesize

        2.2MB

      • memory/4592-2-0x00000000749E0000-0x0000000075190000-memory.dmp

        Filesize

        7.7MB

      • memory/4592-1-0x0000000000B30000-0x0000000000B42000-memory.dmp

        Filesize

        72KB

      • memory/4592-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

        Filesize

        4KB

      • memory/4592-4889-0x00000000749EE000-0x00000000749EF000-memory.dmp

        Filesize

        4KB

      • memory/4592-4890-0x00000000749E0000-0x0000000075190000-memory.dmp

        Filesize

        7.7MB

      • memory/4592-4891-0x00000000011A0000-0x00000000011F4000-memory.dmp

        Filesize

        336KB

      • memory/4592-4895-0x00000000749E0000-0x0000000075190000-memory.dmp

        Filesize

        7.7MB