Analysis
-
max time kernel
113s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 05:12
Static task
static1
Behavioral task
behavioral1
Sample
swift copy.exe
Resource
win7
Behavioral task
behavioral2
Sample
swift copy.exe
Resource
win10v200430
General
-
Target
swift copy.exe
-
Size
899KB
-
MD5
615fdf5bd5f20b021c457478f80b2938
-
SHA1
73616a95f5ef3fa2f9dc4a258f9ac4ca3b1f80ba
-
SHA256
4a754cc65487647ffb0067986dd92f27676a61de5f26e9f08130ac8197e44205
-
SHA512
6d7ade1546ca05a5d319c3cf7332b5a537be4012fc2ffd7862ef6492fa48b1ffa0b91b8e9ba0a2fcc916a663c084aed67b637601e72fbc964c81037ed8456f4a
Malware Config
Signatures
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
swift copy.exepid process 1468 swift copy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
swift copy.exeswift copy.exedescription pid process target process PID 1164 wrote to memory of 1428 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1428 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1428 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1428 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1468 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1468 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1468 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1468 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1468 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1468 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1468 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1468 1164 swift copy.exe swift copy.exe PID 1164 wrote to memory of 1468 1164 swift copy.exe swift copy.exe PID 1468 wrote to memory of 1672 1468 swift copy.exe netsh.exe PID 1468 wrote to memory of 1672 1468 swift copy.exe netsh.exe PID 1468 wrote to memory of 1672 1468 swift copy.exe netsh.exe PID 1468 wrote to memory of 1672 1468 swift copy.exe netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
swift copy.exeswift copy.exedescription pid process Token: SeDebugPrivilege 1164 swift copy.exe Token: SeDebugPrivilege 1468 swift copy.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
swift copy.exeswift copy.exepid process 1164 swift copy.exe 1468 swift copy.exe 1468 swift copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
swift copy.exedescription pid process target process PID 1164 set thread context of 1468 1164 swift copy.exe swift copy.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\swift copy.exe"C:\Users\Admin\AppData\Local\Temp\swift copy.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\swift copy.exe"{path}"2⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\swift copy.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1468 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Modifies service
PID:1672