Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    09-07-2020 13:35

General

  • Target

    attached swifts.exe

  • Size

    737KB

  • MD5

    7a52b8a391d6c4a2d421ae7367a7eb8a

  • SHA1

    607af296abcb31db79877e1cd6f6f25e8c88f3f5

  • SHA256

    cc1d466f94bbd61eb8ef952b8f112d2015cf0b14c72f6f9b47e0ab3d4b368b2f

  • SHA512

    d0866ffdda1440893aa00d151d0783e9c604805eb9a0412a63661a49b0398a2b776e95c223193f1080a06f4b386f088c7d8708f326d331a38853781618762b9d

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.mexicanproduct.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Produccion2020.

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.mexicanproduct.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Produccion2020.

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\attached swifts.exe
    "C:\Users\Admin\AppData\Local\Temp\attached swifts.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QmZkCrTdrajDkB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69A2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3804
    • C:\Users\Admin\AppData\Local\Temp\attached swifts.exe
      "{path}"
      2⤵
        PID:1732
      • C:\Users\Admin\AppData\Local\Temp\attached swifts.exe
        "{path}"
        2⤵
          PID:3860
        • C:\Users\Admin\AppData\Local\Temp\attached swifts.exe
          "{path}"
          2⤵
            PID:3868
          • C:\Users\Admin\AppData\Local\Temp\attached swifts.exe
            "{path}"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3820

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\attached swifts.exe.log

          MD5

          ef140ef600b2463c9e7dbf064a104046

          SHA1

          c08fd1853877be95575ea2e860dd8cafef31f54c

          SHA256

          ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616

          SHA512

          bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c

        • C:\Users\Admin\AppData\Local\Temp\tmp69A2.tmp

          MD5

          688885584b2c8a21db6fc5ec4474003e

          SHA1

          6d22eb28a99a7ec6bd7d0e8e189dd880c13db2f8

          SHA256

          5e603803a3a1dc92176f1358a733848688ed3e93edcaca3f818b16b87061e64a

          SHA512

          16d3dccfc79d6faed5bbe75d763e72e465b38ffb246763f525d744ab5dec8bc6d17a6aa568cea5d309874bedb4c5605882033eb843998a2c8a6b1d3d5f593f23

        • memory/3804-0-0x0000000000000000-mapping.dmp

        • memory/3820-2-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

        • memory/3820-3-0x000000000044983E-mapping.dmp