Analysis
-
max time kernel
117s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 11:45
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Swift copy.exe
Resource
win10v2004-20240508-en
General
-
Target
Swift copy.exe
-
Size
619KB
-
MD5
458f7cbc40f24ca3257cb3803f1a817c
-
SHA1
419fdb34bacf7fcc9b955bdbca7e4cf9d03e6877
-
SHA256
bb57a345bfddb2a779d447fb1f34b36bf08d70793be2705d95244254e264e1e2
-
SHA512
4f4da09b4a42440b0bb8e0e17b313c2b9450456f8ef4469e6f060554ee70fe6f7cef8de30dd72147702e1ec76190276c9d162a2c1492918f600142575f83cff9
-
SSDEEP
12288:6WET/mr9K+22BEEzFatnd/WeHK4KMSMOV4Tu4Cbpb3W/KuBvnqMUpeNW/:6Wtb3BE/Zq4KJLGT/6bG
Malware Config
Extracted
xworm
3.1
baldur1.duckdns.org:3360
99lkUMNvqj7gQA4z
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 5 IoCs
resource yara_rule behavioral1/memory/2976-30-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2976-29-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2976-28-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2976-25-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2976-23-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2752 powershell.exe 2688 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift copy.lnk Swift copy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift copy.lnk Swift copy.exe -
Loads dropped DLL 1 IoCs
pid Process 2976 Swift copy.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Swift copy = "C:\\Users\\Admin\\AppData\\Roaming\\Swift copy.exe" Swift copy.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1792 set thread context of 2976 1792 Swift copy.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2904 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1792 Swift copy.exe 1792 Swift copy.exe 1792 Swift copy.exe 1792 Swift copy.exe 1792 Swift copy.exe 1792 Swift copy.exe 1792 Swift copy.exe 1792 Swift copy.exe 1792 Swift copy.exe 2752 powershell.exe 2688 powershell.exe 2976 Swift copy.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1792 Swift copy.exe Token: SeDebugPrivilege 2976 Swift copy.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2976 Swift copy.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2752 1792 Swift copy.exe 28 PID 1792 wrote to memory of 2752 1792 Swift copy.exe 28 PID 1792 wrote to memory of 2752 1792 Swift copy.exe 28 PID 1792 wrote to memory of 2752 1792 Swift copy.exe 28 PID 1792 wrote to memory of 2688 1792 Swift copy.exe 30 PID 1792 wrote to memory of 2688 1792 Swift copy.exe 30 PID 1792 wrote to memory of 2688 1792 Swift copy.exe 30 PID 1792 wrote to memory of 2688 1792 Swift copy.exe 30 PID 1792 wrote to memory of 2904 1792 Swift copy.exe 32 PID 1792 wrote to memory of 2904 1792 Swift copy.exe 32 PID 1792 wrote to memory of 2904 1792 Swift copy.exe 32 PID 1792 wrote to memory of 2904 1792 Swift copy.exe 32 PID 1792 wrote to memory of 2232 1792 Swift copy.exe 34 PID 1792 wrote to memory of 2232 1792 Swift copy.exe 34 PID 1792 wrote to memory of 2232 1792 Swift copy.exe 34 PID 1792 wrote to memory of 2232 1792 Swift copy.exe 34 PID 1792 wrote to memory of 2976 1792 Swift copy.exe 35 PID 1792 wrote to memory of 2976 1792 Swift copy.exe 35 PID 1792 wrote to memory of 2976 1792 Swift copy.exe 35 PID 1792 wrote to memory of 2976 1792 Swift copy.exe 35 PID 1792 wrote to memory of 2976 1792 Swift copy.exe 35 PID 1792 wrote to memory of 2976 1792 Swift copy.exe 35 PID 1792 wrote to memory of 2976 1792 Swift copy.exe 35 PID 1792 wrote to memory of 2976 1792 Swift copy.exe 35 PID 1792 wrote to memory of 2976 1792 Swift copy.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AkyTYQmExJ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AkyTYQmExJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp675B.tmp"2⤵
- Creates scheduled task(s)
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"2⤵PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD543816e829a5bda281146da6aa85769ce
SHA1db6127c34f3f99ec82fab8a0fd7fc65d578a1433
SHA2564a2335d7efd502eb2e6e57cea4ae0202fde6f0d54881e968901c195f18b498a7
SHA512cd7b7924c3ddc63a22004c80742fcefd3790b867a3966cdd57eb69500c53b1e71c16948eb8f617f8f564790835c0c1a8a1a342df207ba0bf7af8a9a4c7ac306e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5465f3c19b6447c9fa18067fc08842d07
SHA1c3105fffc70e763773a1bc4e3b89c66fa5ac44be
SHA256baff5e56a933e6a86671b7dde0eb71cac12eff58f7da8b90f69b038a2784015d
SHA512d4d609b5293dca5d79433fb5cf550d868e214f8d1dade4c8a2a3fccbb706791f7752d32b5ff8ff495f6c5adf90ae3b70d2801bc4e300c736c3f11fbfaad4ff77
-
Filesize
619KB
MD5458f7cbc40f24ca3257cb3803f1a817c
SHA1419fdb34bacf7fcc9b955bdbca7e4cf9d03e6877
SHA256bb57a345bfddb2a779d447fb1f34b36bf08d70793be2705d95244254e264e1e2
SHA5124f4da09b4a42440b0bb8e0e17b313c2b9450456f8ef4469e6f060554ee70fe6f7cef8de30dd72147702e1ec76190276c9d162a2c1492918f600142575f83cff9