Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 14:26
Static task
static1
Behavioral task
behavioral1
Sample
SWIFTCOPY202973783.vbe
Resource
win7-20240903-en
General
-
Target
SWIFTCOPY202973783.vbe
-
Size
10KB
-
MD5
254471760724bb645f41689c3bdc6dac
-
SHA1
ceda7f23ac91b4af194c758b3c6e5b9100766da4
-
SHA256
ef670fb4793463bc81ae7f07fc809bab0962fec614a3fef3bc779a4a382c2eae
-
SHA512
f18fad6ae29adb4fca5b4b1a3d525062f955bc94ec89d4d913e6b0d802838ed428ecfdc42c18ae8950814889d0636bb47598236163e2a138dea8062431a04867
-
SSDEEP
192:7QiwcCrwQiaIf536yhD1uFyQ3NvR13N1QZd9N0FK:2c+wQhQ53ZD8Fj3tRVN1M/NF
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid Process 2 1960 WScript.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid Process 2656 vlc.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2596 powershell.exe 2596 powershell.exe 1732 powershell.exe 1732 powershell.exe 1144 powershell.exe 1144 powershell.exe 2932 powershell.exe 2932 powershell.exe 1084 powershell.exe 1084 powershell.exe 1032 powershell.exe 1032 powershell.exe 1796 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid Process 2656 vlc.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 1796 powershell.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
vlc.exepid Process 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
vlc.exepid Process 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe 2656 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid Process 2656 vlc.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
taskeng.exeWScript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process procid_target PID 2764 wrote to memory of 2964 2764 taskeng.exe 32 PID 2764 wrote to memory of 2964 2764 taskeng.exe 32 PID 2764 wrote to memory of 2964 2764 taskeng.exe 32 PID 2964 wrote to memory of 2596 2964 WScript.exe 34 PID 2964 wrote to memory of 2596 2964 WScript.exe 34 PID 2964 wrote to memory of 2596 2964 WScript.exe 34 PID 2596 wrote to memory of 2692 2596 powershell.exe 36 PID 2596 wrote to memory of 2692 2596 powershell.exe 36 PID 2596 wrote to memory of 2692 2596 powershell.exe 36 PID 2964 wrote to memory of 1732 2964 WScript.exe 37 PID 2964 wrote to memory of 1732 2964 WScript.exe 37 PID 2964 wrote to memory of 1732 2964 WScript.exe 37 PID 1732 wrote to memory of 1912 1732 powershell.exe 39 PID 1732 wrote to memory of 1912 1732 powershell.exe 39 PID 1732 wrote to memory of 1912 1732 powershell.exe 39 PID 2964 wrote to memory of 1144 2964 WScript.exe 40 PID 2964 wrote to memory of 1144 2964 WScript.exe 40 PID 2964 wrote to memory of 1144 2964 WScript.exe 40 PID 1144 wrote to memory of 2892 1144 powershell.exe 42 PID 1144 wrote to memory of 2892 1144 powershell.exe 42 PID 1144 wrote to memory of 2892 1144 powershell.exe 42 PID 2964 wrote to memory of 2932 2964 WScript.exe 43 PID 2964 wrote to memory of 2932 2964 WScript.exe 43 PID 2964 wrote to memory of 2932 2964 WScript.exe 43 PID 2932 wrote to memory of 1504 2932 powershell.exe 45 PID 2932 wrote to memory of 1504 2932 powershell.exe 45 PID 2932 wrote to memory of 1504 2932 powershell.exe 45 PID 2964 wrote to memory of 1084 2964 WScript.exe 46 PID 2964 wrote to memory of 1084 2964 WScript.exe 46 PID 2964 wrote to memory of 1084 2964 WScript.exe 46 PID 1084 wrote to memory of 900 1084 powershell.exe 48 PID 1084 wrote to memory of 900 1084 powershell.exe 48 PID 1084 wrote to memory of 900 1084 powershell.exe 48 PID 2964 wrote to memory of 1032 2964 WScript.exe 49 PID 2964 wrote to memory of 1032 2964 WScript.exe 49 PID 2964 wrote to memory of 1032 2964 WScript.exe 49 PID 1032 wrote to memory of 2396 1032 powershell.exe 51 PID 1032 wrote to memory of 2396 1032 powershell.exe 51 PID 1032 wrote to memory of 2396 1032 powershell.exe 51 PID 2964 wrote to memory of 1796 2964 WScript.exe 52 PID 2964 wrote to memory of 1796 2964 WScript.exe 52 PID 2964 wrote to memory of 1796 2964 WScript.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFTCOPY202973783.vbe"1⤵
- Blocklisted process makes network request
PID:1960
-
C:\Windows\system32\taskeng.exetaskeng.exe {0A6A1468-CA22-402D-A2E8-4983C2566402} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\LPFpWIHXbpdnRBc.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2596" "1240"4⤵PID:2692
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1732" "1244"4⤵PID:1912
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1144" "1244"4⤵PID:2892
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2932" "1236"4⤵PID:1504
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1084" "1240"4⤵PID:900
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1032" "1240"4⤵PID:2396
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SearchRestart.wmv"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b13bfb6f5bc4d46b6ac7b6f365c523f1
SHA1c68c153e5639873edeafe4ecf1aa64e238c7a1cb
SHA256770f78f437d2d6a8c43aef9ce396e5cf8db7252c9ea7af94511640ac41fc37b4
SHA512eb72acf78c8bc6a4c6a7c6c7e83bbcda6de61b42b4f01fc732e2730503a49b4ed51ef28762cc9924874cf795c6c00254d74005832b08d53918091bbabcabff14
-
Filesize
1KB
MD5939ca7083f6dfc4aec857d503ad6b6ca
SHA1dcd2fc454b9ec157bd6f73f37d509c98ecced116
SHA2568fe8bb06de3468537474671ec96207b230206107631413787654bae51234e3a8
SHA5120521cd8737244d7b7c7f701912752c09c979bc46addbc7471306d9d54b45a9f18ef34b8f6bdeab17a2b146555beea6b0583c53e8015e85a7c3131916b2e0daa2
-
Filesize
1KB
MD520e0b057f00973e29d2a8047a0279a72
SHA19e48e662c6fc348ae00d6454fc3ba6ef22c2c59b
SHA256cfdc55c226754a8a8cfcc7391989a8fae56407f1ac844dda2aac1c2990f3eca8
SHA5121f639efa1bef576e70dc295ca57513cfabd298c003448aa5be60147c709c015f8774d2c350621a680b512b6dc2e2adcf74475a87d9869f1337b575384b446792
-
Filesize
1KB
MD5c2f3b99cf531911fab9b4b458fed9adb
SHA11912ba176308034e8238ae3b8797674c733d568a
SHA256fa1e9b101c52df86fe71ba5cfbb4ab8bb4c825e3fe082633a29bcba52df8e767
SHA5122bb85516ef01fdfc1e20972f09851f36f7ca61fb3be821c393ed9bc860e1e786197c6c251df39b51d64115dd44bad03588dc48e531baa269fbc438c2f5c68a16
-
Filesize
1KB
MD5639a739d1691da27c72b302818583ff4
SHA13d37492f2b70d944031786ff89ae3cc34fb4603e
SHA2561769120b4cc8d667b435128b631642621250396ffcfe99b34f663f858e9080ee
SHA512b9e784bd5d2358c2b70e33770f7f8461f5121ff909c8157291f0fa413f01d6ff477c780ceb8cfbcc18bfcac2d46fb64c7240f52fa213e13a8391cf8d5705ebba
-
Filesize
1KB
MD5d44b9d8322a05081ecdbe0c4d6cce5e4
SHA1478a11deb7898f2f5613a0669b06f12c0fd9c8ca
SHA2560c8c9332b48f918f976652420440b0cbdacc06a3067adc03ac53365bf0e047a7
SHA5122cdede9b6c5552ff14c279fcc9576b3e193b27e693b546276e27b7498a0d0c64c159e9ab42b2b6b7fc86e3f789ed48564d6c0e76783889fdb4341f00b8ec2231
-
Filesize
1KB
MD55b12725548e7be334795090aab4c663a
SHA13f3cfaba2d7d57817d08f73b6693c7ed7c632932
SHA2567ea2c1cdb0947698fcc82e9c7624c63a92d73671dd48d368a35c968a77a6cfac
SHA51214ea70502134fd28f709071da5d9a1adf4fe7fc08fea5afdc22092374043219eb5bae6a8506000efbcf231bc05162ab34d2fc95015156ac3fbc84da35ab8b928
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52573791824e3676331910ef358d5b1ed
SHA129a641bee4d06b9d21bc5bf03e467c1bbf49be03
SHA256b23e743af61aa90365772b3a617f4bbe1ad387747d45821683eb69c937b00b4e
SHA5126161f6ecf3e84e3192be0fb3835e59da3bdddbdc910ae8c9777eee5d8392409e0157c49c094a4b46e58c9ca44bbe3e58e771a74cabe232bfa9380f80f9f6d618
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e