Overview

overview

10

Static

static

Swift Copy.pdf.exe

windows7_x64

10

Swift Copy.pdf.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-05-2021 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Swift Copy.pdf.exe

  • Size

    889KB

  • MD5

    dd2eb46743bf230998439673e3deba99

  • SHA1

    4871d34e0db77e32f627e74b92e9a9fbdef7a21a

  • SHA256

    ab417e35533138c082445ac1997401837c2be3af4527860f3b5c30dcabd325cb

  • SHA512

    9ddf626833dc5551ad869214590c23b11e8ca16bc37959608c960f283bfef027b451a8f7fabff9d0678d24cabf2de12a509c8a75e524643cf29faf2a1d275b33

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.saudimedlabexpo.com
  • Port:
    587
  • Username:
    info@saudimedlabexpo.com
  • Password:
    ]dTqP-]^T]Pt

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1340
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DXGWcUXNvU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3616
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DXGWcUXNvU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD87F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3856
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DXGWcUXNvU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    09da4e19aa6bc496f34f76ded358732a

    SHA1

    5508551afee0fef633de572fbb50dde184d7aa32

    SHA256

    534bd8bf03cab878677474b508c2cdbf39d6efc5ed38ee25774982394dcc2e06

    SHA512

    25a92a251f05974f946387fa576fc291864ab94d49873d3d615682e96c7b4efbe2e7d2d297ee9ae790c55bafe20baa61246b355e652b077cf5981880abb343e6

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    2e1f4d701715884d5d6eb28d7185ed33

    SHA1

    cc49b5740225be243547d2ac4cbcda09b5737ea9

    SHA256

    2b6277201f40cd19b2d1e1639bf2cb750b5e63d7e3b2c0a45ae9705286d016ac

    SHA512

    f2818c987610524ed8d79680e8b4bd5ebfaef2bb63b5390aec8ef951de15aace22bf89833b4b1a86902b6fa376c6ac6cf7c706c59a1f968a6f4c30c079f0fb19

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpD87F.tmp
    MD5

    009405d3c07c8a71e09971b9a2920a6a

    SHA1

    a96ed56726083ca804df6ec349cd363657a8edc7

    SHA256

    8d088c32888740a9c04c57177667a0c08a8c787194847b25594ae5ead6391507

    SHA512

    3d7f5ffa7949dbb2d960f92eceb06f392369f4f56ad96e3dba7ae94b4e13bf32c853047d51867a16ec82d0db48d9f05bc806dc6856bea6cd8bf63cf5feca5126

    Download Submit
  • memory/1340-151-0x0000000004E52000-0x0000000004E53000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1340-173-0x0000000008940000-0x0000000008941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1340-153-0x0000000007930000-0x0000000007931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1340-196-0x0000000004E53000-0x0000000004E54000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1340-194-0x000000007E910000-0x000000007E911000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1340-158-0x0000000008230000-0x0000000008231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1340-125-0x0000000000000000-mapping.dmp
    Download
  • memory/1340-161-0x00000000082A0000-0x00000000082A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1340-150-0x0000000004E50000-0x0000000004E51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1340-130-0x0000000004E00000-0x0000000004E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1340-133-0x0000000007A20000-0x0000000007A21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2232-117-0x00000000059C0000-0x00000000059C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2232-123-0x0000000006390000-0x0000000006458000-memory.dmp
    Filesize

    800KB

    Download
  • memory/2232-122-0x0000000005550000-0x0000000005554000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2232-124-0x0000000008920000-0x00000000089B0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/2232-121-0x0000000005760000-0x0000000005761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2232-114-0x0000000000B40000-0x0000000000B41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2232-119-0x00000000054C0000-0x00000000059BE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2232-120-0x00000000054F0000-0x00000000054F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2232-118-0x0000000005560000-0x0000000005561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2232-116-0x0000000005420000-0x0000000005421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2700-156-0x0000000004C70000-0x0000000004C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-160-0x0000000004C72000-0x0000000004C73000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-167-0x0000000008480000-0x0000000008481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-193-0x000000007EA00000-0x000000007EA01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-195-0x0000000004C73000-0x0000000004C74000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2732-138-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2732-139-0x00000000004375BE-mapping.dmp
    Download
  • memory/2732-157-0x0000000004E00000-0x00000000052FE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3616-152-0x00000000046B0000-0x00000000046B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3616-192-0x000000007F5B0000-0x000000007F5B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3616-126-0x0000000000000000-mapping.dmp
    Download
  • memory/3616-170-0x0000000007CB0000-0x0000000007CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3616-197-0x00000000046B3000-0x00000000046B4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3616-146-0x0000000007020000-0x0000000007021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3616-154-0x00000000046B2000-0x00000000046B3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3856-129-0x0000000000000000-mapping.dmp
    Download