Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 20:07
Static task
static1
General
-
Target
Swift Copy.exe
-
Size
766KB
-
MD5
8f5b567178dc84b182b9bef20d1ba3fd
-
SHA1
c9e63301ec2c68f8d1a087678d6947eb0f94ff71
-
SHA256
421f027f55c2899348146d6ef602fb6aaa2376c2479406a720f21f5af672d4ae
-
SHA512
2295886a0d77655ed8c897668a7d148003a53a32885277e92fd4261b90f2465b358f1f150335c8a70ac5fc2ec5f8a5fc0a8c5e6b1324eab2f94a44dfff06c0cb
-
SSDEEP
12288:lCMKhM39TXsTAiN81mLdCc6VbSogpA7beNEyDBcmpb7I1i5pSTTXnVluolN3l1:oMaci4OARRgeHeHBZ98i5CVlugN3
Malware Config
Extracted
formbook
4.1
ct27
arehouse-inventory-22552.bond
lead.today
utomation-tools-36376.bond
uizdabarbie.shop
yedzio.xyz
riffinfamily.fun
lashsmm.store
estlumpia.shop
aki777id.best
ilmach.net
ome-care-25437.bond
i404.net
jacp.bid
he-broker.net
quick.biz
ynacloud.xyz
harmant-g.online
f85to5a2x.cyou
pdgkt.bid
at-removal-near-me-103.xyz
oujizz.fyi
oftware-engineering-60706.bond
lexcap.xyz
jwbizjl3p.sbs
ouses-for-sale-4851524.zone
nternet-providers-19459.bond
2b-emirates.net
onotobey.shop
sk-dezzz49.store
91582235.xyz
uankao.tech
kmi14.xyz
ental-implants-39342.bond
h868.net
ental-implants-67929.bond
lotino.xyz
pps-31199.bond
aintkitts.xyz
ximito.info
mrahmed.website
lujro.shop
n.domains
mkgqu.info
ingaepost.live
lutchbrakes.net
hepahamiltons.net
arehouse-inventory-64566.bond
eyss.xyz
elightfullydecadent.store
200mber.fun
fmej.info
lard.xyz
amal888.pro
si-robot.tech
kin-rejuvenation-78159.bond
mjweddingplanners.fun
urhub.xyz
nfluencer-marketing-70434.bond
bl.email
apturethetgc.win
ntangroup.online
eehear.xyz
udiolife.xyz
regnancy-32797.bond
rave.ist
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/4368-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/4368-20-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/752-72-0x00000000006B0000-0x00000000006DF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4360 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Swift Copy.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3160 set thread context of 4368 3160 Swift Copy.exe 99 PID 4368 set thread context of 3396 4368 Swift Copy.exe 56 PID 752 set thread context of 3396 752 WWAHost.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WWAHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Swift Copy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3160 Swift Copy.exe 3160 Swift Copy.exe 4368 Swift Copy.exe 4368 Swift Copy.exe 4368 Swift Copy.exe 4368 Swift Copy.exe 4360 powershell.exe 4360 powershell.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe 752 WWAHost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4368 Swift Copy.exe 4368 Swift Copy.exe 4368 Swift Copy.exe 752 WWAHost.exe 752 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3160 Swift Copy.exe Token: SeDebugPrivilege 4368 Swift Copy.exe Token: SeDebugPrivilege 4360 powershell.exe Token: SeDebugPrivilege 752 WWAHost.exe Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3160 wrote to memory of 4360 3160 Swift Copy.exe 96 PID 3160 wrote to memory of 4360 3160 Swift Copy.exe 96 PID 3160 wrote to memory of 4360 3160 Swift Copy.exe 96 PID 3160 wrote to memory of 1672 3160 Swift Copy.exe 98 PID 3160 wrote to memory of 1672 3160 Swift Copy.exe 98 PID 3160 wrote to memory of 1672 3160 Swift Copy.exe 98 PID 3160 wrote to memory of 4368 3160 Swift Copy.exe 99 PID 3160 wrote to memory of 4368 3160 Swift Copy.exe 99 PID 3160 wrote to memory of 4368 3160 Swift Copy.exe 99 PID 3160 wrote to memory of 4368 3160 Swift Copy.exe 99 PID 3160 wrote to memory of 4368 3160 Swift Copy.exe 99 PID 3160 wrote to memory of 4368 3160 Swift Copy.exe 99 PID 3396 wrote to memory of 752 3396 Explorer.EXE 100 PID 3396 wrote to memory of 752 3396 Explorer.EXE 100 PID 3396 wrote to memory of 752 3396 Explorer.EXE 100 PID 752 wrote to memory of 1656 752 WWAHost.exe 101 PID 752 wrote to memory of 1656 752 WWAHost.exe 101 PID 752 wrote to memory of 1656 752 WWAHost.exe 101
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"3⤵PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82