Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 13:35
Static task
static1
Behavioral task
behavioral1
Sample
attached swifts.exe
Resource
win7
Behavioral task
behavioral2
Sample
attached swifts.exe
Resource
win10
General
-
Target
attached swifts.exe
-
Size
737KB
-
MD5
7a52b8a391d6c4a2d421ae7367a7eb8a
-
SHA1
607af296abcb31db79877e1cd6f6f25e8c88f3f5
-
SHA256
cc1d466f94bbd61eb8ef952b8f112d2015cf0b14c72f6f9b47e0ab3d4b368b2f
-
SHA512
d0866ffdda1440893aa00d151d0783e9c604805eb9a0412a63661a49b0398a2b776e95c223193f1080a06f4b386f088c7d8708f326d331a38853781618762b9d
Malware Config
Extracted
Protocol: smtp- Host:
mail.mexicanproduct.com.mx - Port:
587 - Username:
[email protected] - Password:
Produccion2020.
Extracted
agenttesla
Protocol: smtp- Host:
mail.mexicanproduct.com.mx - Port:
587 - Username:
[email protected] - Password:
Produccion2020.
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3820-2-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral2/memory/3820-3-0x000000000044983E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
attached swifts.exedescription pid process target process PID 3048 set thread context of 3820 3048 attached swifts.exe attached swifts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
attached swifts.exeattached swifts.exepid process 3048 attached swifts.exe 3048 attached swifts.exe 3048 attached swifts.exe 3048 attached swifts.exe 3048 attached swifts.exe 3048 attached swifts.exe 3048 attached swifts.exe 3820 attached swifts.exe 3820 attached swifts.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
attached swifts.exeattached swifts.exedescription pid process Token: SeDebugPrivilege 3048 attached swifts.exe Token: SeDebugPrivilege 3820 attached swifts.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
attached swifts.exepid process 3820 attached swifts.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
attached swifts.exedescription pid process target process PID 3048 wrote to memory of 3804 3048 attached swifts.exe schtasks.exe PID 3048 wrote to memory of 3804 3048 attached swifts.exe schtasks.exe PID 3048 wrote to memory of 3804 3048 attached swifts.exe schtasks.exe PID 3048 wrote to memory of 1732 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 1732 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 1732 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3860 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3860 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3860 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3868 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3868 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3868 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3820 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3820 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3820 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3820 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3820 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3820 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3820 3048 attached swifts.exe attached swifts.exe PID 3048 wrote to memory of 3820 3048 attached swifts.exe attached swifts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\attached swifts.exe"C:\Users\Admin\AppData\Local\Temp\attached swifts.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QmZkCrTdrajDkB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69A2.tmp"2⤵
- Creates scheduled task(s)
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\attached swifts.exe"{path}"2⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\attached swifts.exe"{path}"2⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\attached swifts.exe"{path}"2⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\attached swifts.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
MD5
688885584b2c8a21db6fc5ec4474003e
SHA16d22eb28a99a7ec6bd7d0e8e189dd880c13db2f8
SHA2565e603803a3a1dc92176f1358a733848688ed3e93edcaca3f818b16b87061e64a
SHA51216d3dccfc79d6faed5bbe75d763e72e465b38ffb246763f525d744ab5dec8bc6d17a6aa568cea5d309874bedb4c5605882033eb843998a2c8a6b1d3d5f593f23