Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 13:37
Behavioral task
behavioral1
Sample
USD46k Swift_PDF.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
USD46k Swift_PDF.exe
Resource
win10v2004-20240508-en
General
-
Target
USD46k Swift_PDF.exe
-
Size
659KB
-
MD5
b2c97bdc5cdba659fcc2da66d2f80a8f
-
SHA1
812541b4d56efd804b47fdae1630b69433419320
-
SHA256
256194e31f5e3cdd00144320e30165ec54d77de265f5d959b22993b4ce124863
-
SHA512
013abfed445d1d1868a65a9e632759d3c600c3c334cb001f6dd527557667e1bd3e95b07d4d650c8bb83cf5ebe9f8962c9a8be0b53562c880299f0fa7776f865d
-
SSDEEP
12288:AYV6MorX7qzuC3QHO9FQVHPF51jgc1tcpHY+etwlcjM3c0Ib9:fBXu9HGaVHotetwlcuKb9
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2500 setupugc.exe -
resource yara_rule behavioral1/memory/1712-0-0x00000000002C0000-0x0000000000437000-memory.dmp upx behavioral1/memory/1712-15-0x00000000002C0000-0x0000000000437000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1712-15-0x00000000002C0000-0x0000000000437000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1712 set thread context of 2508 1712 USD46k Swift_PDF.exe 28 PID 2508 set thread context of 1112 2508 svchost.exe 20 PID 2508 set thread context of 2500 2508 svchost.exe 29 PID 2500 set thread context of 1112 2500 setupugc.exe 20 -
description ioc Process Key created \Registry\User\S-1-5-21-2297530677-1229052932-2803917579-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 setupugc.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2508 svchost.exe 2508 svchost.exe 2508 svchost.exe 2508 svchost.exe 2508 svchost.exe 2508 svchost.exe 2508 svchost.exe 2508 svchost.exe 2500 setupugc.exe 2500 setupugc.exe 2500 setupugc.exe 2500 setupugc.exe 2500 setupugc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1712 USD46k Swift_PDF.exe 2508 svchost.exe 1112 Explorer.EXE 1112 Explorer.EXE 2500 setupugc.exe 2500 setupugc.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1712 USD46k Swift_PDF.exe 1712 USD46k Swift_PDF.exe 1112 Explorer.EXE 1112 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1712 USD46k Swift_PDF.exe 1712 USD46k Swift_PDF.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2508 1712 USD46k Swift_PDF.exe 28 PID 1712 wrote to memory of 2508 1712 USD46k Swift_PDF.exe 28 PID 1712 wrote to memory of 2508 1712 USD46k Swift_PDF.exe 28 PID 1712 wrote to memory of 2508 1712 USD46k Swift_PDF.exe 28 PID 1712 wrote to memory of 2508 1712 USD46k Swift_PDF.exe 28 PID 1112 wrote to memory of 2500 1112 Explorer.EXE 29 PID 1112 wrote to memory of 2500 1112 Explorer.EXE 29 PID 1112 wrote to memory of 2500 1112 Explorer.EXE 29 PID 1112 wrote to memory of 2500 1112 Explorer.EXE 29 PID 1112 wrote to memory of 2500 1112 Explorer.EXE 29 PID 1112 wrote to memory of 2500 1112 Explorer.EXE 29 PID 1112 wrote to memory of 2500 1112 Explorer.EXE 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\USD46k Swift_PDF.exe"C:\Users\Admin\AppData\Local\Temp\USD46k Swift_PDF.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\USD46k Swift_PDF.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2508
-
-
-
C:\Windows\SysWOW64\setupugc.exe"C:\Windows\SysWOW64\setupugc.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
267KB
MD57f90b70897582470c201796b1f5efa19
SHA1b6619c8dfbc51aba1876eef95def633ac87993c4
SHA2563978af8e0beb0c0a221219a4633d97a06b00726f8b1d8e9405f3c42e4a01d9c8
SHA51209ff14207e239ebddf130292bf6d7fef453e969cf2bf1d2a3ae670e5ebf6e350562a505ee63d4c1bb2c8def34601f1b3dcd5b88f8cf6abdfddab364071b73748
-
Filesize
435KB
MD5c42ec8f35c6a06666e6ad54471a2728b
SHA1c3cc57a816927fa616616939b4b7a63c2322cfa1
SHA25622bb304aab3ec7a51fc4dc7749f304bbe01c5ec014144fbc8f86012dc3b0708b
SHA5126fe9a3c3f861663b6408fd5136d202835a89344072996dd65dda14fa04707662a26d0c6ed482fd0606a270943112d9effc07424af90621094f6fbb88c8ff7eae
-
Filesize
832KB
MD507fb6d31f37fb1b4164bef301306c288
SHA14cb41af6d63a07324ef6b18b1a1f43ce94e25626
SHA25606ddf0a370af00d994824605a8e1307ba138f89b2d864539f0d19e8804edac02
SHA512cab4a7c5805b80851aba5f2c9b001fabc1416f6648d891f49eacc81fe79287c5baa01306a42298da722750b812a4ea85388ffae9200dcf656dd1d5b5b9323353