Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 16:48
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Swift Copy.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Overkeenly.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Overkeenly.ps1
Resource
win10v2004-20241007-en
General
-
Target
Swift Copy.exe
-
Size
979KB
-
MD5
411ad554068219f2ed0ce5e74f02d542
-
SHA1
917cc7780771e518c544338e24204471c54ec5fa
-
SHA256
59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6
-
SHA512
6dbd1cffd8e580bb8737e00e6c85a63d8092edb2db2028d671241fc1223e58d254a13adfe1ee05574a98be8ec471566bba7d73e2d73d30ba1805d35615c3e090
-
SSDEEP
24576:i/Vwqfj3y6EQ4Dsv+G/9nRn0fyVPiDrNEtEBkvUEZmWwH+EP0R/tF25taZScLvci:0Vwqfj3y6EQ4Dsv+G/910fyVPiDrNEt1
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Drops file in System32 directory 1 IoCs
Processes:
Swift Copy.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\nonpurchasable.ini Swift Copy.exe -
Drops file in Windows directory 2 IoCs
Processes:
Swift Copy.exedescription ioc Process File opened for modification C:\Windows\resources\Bondefangeren\hofdamer.for Swift Copy.exe File opened for modification C:\Windows\resources\0409\filbetegnelsernes\ophovnede.fer Swift Copy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Swift Copy.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Swift Copy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2508 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2508 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Swift Copy.exedescription pid Process procid_target PID 1548 wrote to memory of 2508 1548 Swift Copy.exe 30 PID 1548 wrote to memory of 2508 1548 Swift Copy.exe 30 PID 1548 wrote to memory of 2508 1548 Swift Copy.exe 30 PID 1548 wrote to memory of 2508 1548 Swift Copy.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Markgreven=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\bruised\calypsoerne\drikkelaget\Overkeenly.Aut';$Fortykkelsernes=$Markgreven.SubString(3059,3);.$Fortykkelsernes($Markgreven)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39B
MD5e3b7ad34c9d96ee6bb33a7ea9652861f
SHA131414d72fe513f0df1a7348dcd94d183b2168e34
SHA256e4c8aea2ff455ae1d449cfd6105f5fb00b40ee33e96ef3b900a6f12cf7f33b15
SHA51256664fd237e1a885c9631df14d72f0ac35d1b2ee891095fe1c12774fea3849d699122af314cc346b5854e07521b9b3df87d5d35b58949bd7656778b82550547a