Analysis Report Bank Swift.exe

Overview

General Information

Sample Name: Bank Swift.exe
Analysis ID: 326331
MD5: 2ace5c4532c77c014a02cc027d725d83
SHA1: c5d7fd7b905ec976af21fb78f7fbbb516767da2f
SHA256: 53ae2502a9fed69821959a54927023f131c6e62ebc46119d86e2eaad60356827
Tags: exe

Most interesting Screenshot:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Machine Learning detection for sample
PE file has a writeable .text section
Checks if the current process is being debugged
Creates a DirectInput object (often for capturing keystrokes)
Enables debug privileges
One or more processes crash
PE file contains strange resources
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Stores large binary data to the registry
Tries to load missing DLLs

Classification

AV Detection:

barindex
Machine Learning detection for sample
Source: Bank Swift.exe Joe Sandbox ML: detected
Source: unknown DNS traffic detected: queries for: g.msn.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Bank Swift.exe, 00000000.00000002.326572025.000000000074A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
PE file has a writeable .text section
Source: Bank Swift.exe Static PE information: Section: .text IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 216
PE file contains strange resources
Source: Bank Swift.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functions
Source: Bank Swift.exe Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: classification engine Classification label: mal48.winEXE@2/4@2/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4696
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4998.tmp Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Bank Swift.exe 'C:\Users\user\Desktop\Bank Swift.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 216
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.247353415.0000000000806000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.247395897.000000000080C000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.247395897.000000000080C000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.247388259.0000000000800000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.247353415.0000000000806000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.248441590.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.248441590.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.247388259.0000000000800000.00000004.00000001.sdmp

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WerFault.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\SysWOW64\WerFault.exe File opened: PhysicalDrive0 Jump to behavior
Source: WerFault.exe, 00000003.00000002.325471501.0000000004B00000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000003.00000003.255617815.0000000000813000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000003.00000002.325471501.0000000004B00000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000003.00000002.325471501.0000000004B00000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000003.00000003.323211758.00000000007DA000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW)1
Source: WerFault.exe, 00000003.00000003.254391786.0000000000813000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WerFault.exe, 00000003.00000002.325471501.0000000004B00000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\WerFault.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Bank Swift.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 326331 Sample: Bank Swift.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 48 14 g.msn.com 2->14 16 Machine Learning detection for sample 2->16 18 PE file has a writeable .text section 2->18 7 Bank Swift.exe 2->7         started        signatures3 process4 process5 9 WerFault.exe 23 9 7->9         started        file6 12 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->12 dropped
No contacted IP infos

Contacted Domains

Name IP Active
g.msn.com unknown unknown