Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 13:43
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy TT USD14037800.PDF.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Swift Copy TT USD14037800.PDF.exe
Resource
win10v2004-20240508-en
General
-
Target
Swift Copy TT USD14037800.PDF.exe
-
Size
1.1MB
-
MD5
2df6b68d7182275e8ae2f5491b6ffb75
-
SHA1
808470d278270fe91b73338c89ba4e22f5f7db0f
-
SHA256
383d0f4cc036007f1c717e49856a3e0cf8bfe511673c291f568a2930f0993778
-
SHA512
fbfdd017c56d3ae701c1717a82e81e83b2f3ed3fa091a2f6885d8e0c75bf5ca833150c477862ebada80bebf94a7cd10acd0f24c15ac89ffc75fb2c43d5edc295
-
SSDEEP
24576:rAHnh+eWsN3skA4RV1Hom2KXMmHaQHzK8WkU2NHC5:Gh+ZkldoPK8YaQHzK8e2NY
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
name.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
Processes:
name.exepid process 3592 name.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\directory\name.exe autoit_exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1076 3592 WerFault.exe name.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Swift Copy TT USD14037800.PDF.exename.exepid process 4528 Swift Copy TT USD14037800.PDF.exe 4528 Swift Copy TT USD14037800.PDF.exe 3592 name.exe 3592 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Swift Copy TT USD14037800.PDF.exename.exepid process 4528 Swift Copy TT USD14037800.PDF.exe 4528 Swift Copy TT USD14037800.PDF.exe 3592 name.exe 3592 name.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Swift Copy TT USD14037800.PDF.exename.exedescription pid process target process PID 4528 wrote to memory of 3592 4528 Swift Copy TT USD14037800.PDF.exe name.exe PID 4528 wrote to memory of 3592 4528 Swift Copy TT USD14037800.PDF.exe name.exe PID 4528 wrote to memory of 3592 4528 Swift Copy TT USD14037800.PDF.exe name.exe PID 3592 wrote to memory of 4944 3592 name.exe RegSvcs.exe PID 3592 wrote to memory of 4944 3592 name.exe RegSvcs.exe PID 3592 wrote to memory of 4944 3592 name.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy TT USD14037800.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy TT USD14037800.PDF.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy TT USD14037800.PDF.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy TT USD14037800.PDF.exe"3⤵PID:4944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 6963⤵
- Program crash
PID:1076
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3592 -ip 35921⤵PID:1584
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
28KB
MD541762d6e8ffdfab7805f532211900736
SHA13b6af6ea1706214135986745d937823e88f60291
SHA256fe716478e2547e5ac3fdfb160ca94aae325fa88b26a5c64293e8526d482dd221
SHA5123b1cb44a3567dda8a2551001f2fbd04038f7a26ceba4858df20347f4251cf6f5a17588a45664eb8196af779d4ed147be55309b763dde16501e608b8c3031b25e
-
Filesize
1.1MB
MD52df6b68d7182275e8ae2f5491b6ffb75
SHA1808470d278270fe91b73338c89ba4e22f5f7db0f
SHA256383d0f4cc036007f1c717e49856a3e0cf8bfe511673c291f568a2930f0993778
SHA512fbfdd017c56d3ae701c1717a82e81e83b2f3ed3fa091a2f6885d8e0c75bf5ca833150c477862ebada80bebf94a7cd10acd0f24c15ac89ffc75fb2c43d5edc295