Analysis
-
max time kernel
138s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 11:45
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Swift copy.exe
Resource
win10v2004-20240508-en
General
-
Target
Swift copy.exe
-
Size
619KB
-
MD5
458f7cbc40f24ca3257cb3803f1a817c
-
SHA1
419fdb34bacf7fcc9b955bdbca7e4cf9d03e6877
-
SHA256
bb57a345bfddb2a779d447fb1f34b36bf08d70793be2705d95244254e264e1e2
-
SHA512
4f4da09b4a42440b0bb8e0e17b313c2b9450456f8ef4469e6f060554ee70fe6f7cef8de30dd72147702e1ec76190276c9d162a2c1492918f600142575f83cff9
-
SSDEEP
12288:6WET/mr9K+22BEEzFatnd/WeHK4KMSMOV4Tu4Cbpb3W/KuBvnqMUpeNW/:6Wtb3BE/Zq4KJLGT/6bG
Malware Config
Extracted
xworm
3.1
baldur1.duckdns.org:3360
99lkUMNvqj7gQA4z
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/3172-46-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3612 powershell.exe 5056 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Swift copy.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift copy.lnk Swift copy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Swift copy.lnk Swift copy.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Swift copy = "C:\\Users\\Admin\\AppData\\Roaming\\Swift copy.exe" Swift copy.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 776 set thread context of 3172 776 Swift copy.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3960 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 776 Swift copy.exe 776 Swift copy.exe 776 Swift copy.exe 776 Swift copy.exe 776 Swift copy.exe 776 Swift copy.exe 5056 powershell.exe 3612 powershell.exe 776 Swift copy.exe 5056 powershell.exe 3612 powershell.exe 3172 Swift copy.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 776 Swift copy.exe Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeDebugPrivilege 3172 Swift copy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3172 Swift copy.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 776 wrote to memory of 3612 776 Swift copy.exe 95 PID 776 wrote to memory of 3612 776 Swift copy.exe 95 PID 776 wrote to memory of 3612 776 Swift copy.exe 95 PID 776 wrote to memory of 5056 776 Swift copy.exe 97 PID 776 wrote to memory of 5056 776 Swift copy.exe 97 PID 776 wrote to memory of 5056 776 Swift copy.exe 97 PID 776 wrote to memory of 3960 776 Swift copy.exe 99 PID 776 wrote to memory of 3960 776 Swift copy.exe 99 PID 776 wrote to memory of 3960 776 Swift copy.exe 99 PID 776 wrote to memory of 3172 776 Swift copy.exe 101 PID 776 wrote to memory of 3172 776 Swift copy.exe 101 PID 776 wrote to memory of 3172 776 Swift copy.exe 101 PID 776 wrote to memory of 3172 776 Swift copy.exe 101 PID 776 wrote to memory of 3172 776 Swift copy.exe 101 PID 776 wrote to memory of 3172 776 Swift copy.exe 101 PID 776 wrote to memory of 3172 776 Swift copy.exe 101 PID 776 wrote to memory of 3172 776 Swift copy.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AkyTYQmExJ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AkyTYQmExJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F40.tmp"2⤵
- Creates scheduled task(s)
PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5acc5e34225d4420526e61459302ff535
SHA1e434e97bafad8c2919122696d6c838255fc4db23
SHA2568924dcd56e6d71cfd3eab67cb31b14f5180e89b52f1b6c90e020b9024eefea7c
SHA5120253830962da672fdafa672671a6309dd2e1fee66892d91d998eca98924c6e80ae3d7098a3eb3f680530d71f7ad0094f9ef5b1d20efbe5366e79c15c0a26e0b1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD574e8b2ac1b3b857f60de29ae44b5b601
SHA1c2625303dbb2af95c008e7c701453fb2577c45ef
SHA256fa21890761deae830fb9e37f8c2f33cef9b28be125cf09a11c10102517e66a89
SHA512275965cfaa07a4317f5fd7fd77f6f55528e8ecc43feea2e3d4846824d29d8b845f5d3634f9d1d0f30b4a286bdab2b87d85584afc13096423dc2afe9dbd51fec6
-
Filesize
619KB
MD5458f7cbc40f24ca3257cb3803f1a817c
SHA1419fdb34bacf7fcc9b955bdbca7e4cf9d03e6877
SHA256bb57a345bfddb2a779d447fb1f34b36bf08d70793be2705d95244254e264e1e2
SHA5124f4da09b4a42440b0bb8e0e17b313c2b9450456f8ef4469e6f060554ee70fe6f7cef8de30dd72147702e1ec76190276c9d162a2c1492918f600142575f83cff9