Analysis
-
max time kernel
68s -
max time network
65s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 13:35
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7
Behavioral task
behavioral2
Sample
Swift Copy.exe
Resource
win10v200722
General
-
Target
Swift Copy.exe
-
Size
741KB
-
MD5
749be8c35eb6722a48f9c77886a2911d
-
SHA1
ca7566b4b3dc6a09f890d413fcbd14c2db05df47
-
SHA256
98850bda70a9cac3e3ba79f0c92d0caa6dabd70be5834912f3186bae3d964b16
-
SHA512
f995385b717173bcb3c53256dd7578095ce7002abc2ccae2b759dcf84a130f5349b2672e6f02d6af2d92aa17478e86c4027b60bd8407711034489fb6e8c16627
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
itccoit@ite-gr.com - Password:
locowise12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/992-0-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral2/memory/992-1-0x0000000000445EFE-mapping.dmp family_agenttesla -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 728 set thread context of 992 728 Swift Copy.exe Swift Copy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Swift Copy.exeSwift Copy.exepid process 728 Swift Copy.exe 728 Swift Copy.exe 992 Swift Copy.exe 992 Swift Copy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Swift Copy.exeSwift Copy.exedescription pid process Token: SeDebugPrivilege 728 Swift Copy.exe Token: SeDebugPrivilege 992 Swift Copy.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Swift Copy.execmd.exedescription pid process target process PID 728 wrote to memory of 992 728 Swift Copy.exe Swift Copy.exe PID 728 wrote to memory of 992 728 Swift Copy.exe Swift Copy.exe PID 728 wrote to memory of 992 728 Swift Copy.exe Swift Copy.exe PID 728 wrote to memory of 992 728 Swift Copy.exe Swift Copy.exe PID 728 wrote to memory of 992 728 Swift Copy.exe Swift Copy.exe PID 728 wrote to memory of 992 728 Swift Copy.exe Swift Copy.exe PID 728 wrote to memory of 992 728 Swift Copy.exe Swift Copy.exe PID 728 wrote to memory of 992 728 Swift Copy.exe Swift Copy.exe PID 728 wrote to memory of 1156 728 Swift Copy.exe cmd.exe PID 728 wrote to memory of 1156 728 Swift Copy.exe cmd.exe PID 728 wrote to memory of 1156 728 Swift Copy.exe cmd.exe PID 728 wrote to memory of 1356 728 Swift Copy.exe cmd.exe PID 728 wrote to memory of 1356 728 Swift Copy.exe cmd.exe PID 728 wrote to memory of 1356 728 Swift Copy.exe cmd.exe PID 1356 wrote to memory of 1596 1356 cmd.exe reg.exe PID 1356 wrote to memory of 1596 1356 cmd.exe reg.exe PID 1356 wrote to memory of 1596 1356 cmd.exe reg.exe PID 728 wrote to memory of 1764 728 Swift Copy.exe cmd.exe PID 728 wrote to memory of 1764 728 Swift Copy.exe cmd.exe PID 728 wrote to memory of 1764 728 Swift Copy.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:/Users/Admin/AppData/Local/Temp/Swift Copy.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Swift Copy.exe" "%temp%\FolderN\name.exe" /Y2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exeMD5
749be8c35eb6722a48f9c77886a2911d
SHA1ca7566b4b3dc6a09f890d413fcbd14c2db05df47
SHA25698850bda70a9cac3e3ba79f0c92d0caa6dabd70be5834912f3186bae3d964b16
SHA512f995385b717173bcb3c53256dd7578095ce7002abc2ccae2b759dcf84a130f5349b2672e6f02d6af2d92aa17478e86c4027b60bd8407711034489fb6e8c16627
-
memory/992-0-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/992-1-0x0000000000445EFE-mapping.dmp
-
memory/1156-2-0x0000000000000000-mapping.dmp
-
memory/1356-3-0x0000000000000000-mapping.dmp
-
memory/1596-4-0x0000000000000000-mapping.dmp
-
memory/1764-6-0x0000000000000000-mapping.dmp