Analysis
-
max time kernel
136s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 14:18
Static task
static1
Behavioral task
behavioral1
Sample
SwiftDetail103.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
SwiftDetail103.exe
Resource
win10v2004-20241007-en
General
-
Target
SwiftDetail103.exe
-
Size
1.2MB
-
MD5
f88a322c14893a6cbce0ed1bc6540eae
-
SHA1
367bccd84a786d4a373a36a3741159c77723b25b
-
SHA256
8d3f2503bf26b36de8de3ebaef4f3bcbea79c43c56ec4827d7944acdb8eec11c
-
SHA512
07c6c7f66cfe0e266e9f50b32b22c490738d060d5ac537aeae5ccdd69c87b02fd1d1b653c8dcaedbca4aa8472550a51310d7e574277531028d1ff62355c12878
-
SSDEEP
24576:ffmMv6Ckr7Mny5QLWBv9U8rPu7I64VPcIzh:f3v+7/5QLWBlUqWIBPh
Malware Config
Signatures
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3156-2-0x0000000004180000-0x0000000004380000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1640 3156 WerFault.exe SwiftDetail103.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
SwiftDetail103.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SwiftDetail103.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SwiftDetail103.exepid process 3156 SwiftDetail103.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
SwiftDetail103.exepid process 3156 SwiftDetail103.exe 3156 SwiftDetail103.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SwiftDetail103.exepid process 3156 SwiftDetail103.exe 3156 SwiftDetail103.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SwiftDetail103.exedescription pid process target process PID 3156 wrote to memory of 2984 3156 SwiftDetail103.exe RegSvcs.exe PID 3156 wrote to memory of 2984 3156 SwiftDetail103.exe RegSvcs.exe PID 3156 wrote to memory of 2984 3156 SwiftDetail103.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SwiftDetail103.exe"C:\Users\Admin\AppData\Local\Temp\SwiftDetail103.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\SwiftDetail103.exe"2⤵PID:2984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 7642⤵
- Program crash
PID:1640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3156 -ip 31561⤵PID:4108