Analysis
-
max time kernel
152s -
max time network
41s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-09-2021 06:26
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Swift Copy.exe
Resource
win10v20210408
General
-
Target
Swift Copy.exe
-
Size
797KB
-
MD5
f4e3db4de0dfb56c9ce9a90a597914ad
-
SHA1
f14504642cff022e5edb1709bff3ba799f683c24
-
SHA256
7fcc227a274b3d5e1490799223181c246178a676b12de3c1c59d6a5d675febb7
-
SHA512
c5914f96debcecf426467a708ddd03e73e635d11c66aad9a7460c60a08f50e6aeed0d5ca7401527380c861ab398ca400b3d5622bf0c3b16acdf5427e03572269
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.diva-italia.com - Port:
587 - Username:
info@diva-italia.com - Password:
rr.@%5LjgLz7
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/568-66-0x000000000043761E-mapping.dmp family_agenttesla behavioral1/memory/568-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 748 set thread context of 568 748 Swift Copy.exe Swift Copy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Swift Copy.exepid process 748 Swift Copy.exe 748 Swift Copy.exe 748 Swift Copy.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 1876 dw20.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Swift Copy.exedescription pid process Token: SeDebugPrivilege 748 Swift Copy.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Swift Copy.exeSwift Copy.exedescription pid process target process PID 748 wrote to memory of 472 748 Swift Copy.exe schtasks.exe PID 748 wrote to memory of 472 748 Swift Copy.exe schtasks.exe PID 748 wrote to memory of 472 748 Swift Copy.exe schtasks.exe PID 748 wrote to memory of 472 748 Swift Copy.exe schtasks.exe PID 748 wrote to memory of 556 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 556 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 556 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 556 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 568 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 568 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 568 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 568 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 568 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 568 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 568 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 568 748 Swift Copy.exe Swift Copy.exe PID 748 wrote to memory of 568 748 Swift Copy.exe Swift Copy.exe PID 568 wrote to memory of 1876 568 Swift Copy.exe dw20.exe PID 568 wrote to memory of 1876 568 Swift Copy.exe dw20.exe PID 568 wrote to memory of 1876 568 Swift Copy.exe dw20.exe PID 568 wrote to memory of 1876 568 Swift Copy.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JNZVRO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6864.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 3883⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6864.tmpMD5
4f1b0895d3c135157922564a0c909a67
SHA152152d2e4b76bf5df7ca8aa32e685b00a449d083
SHA256094942089ec6da5a57bb02293be0dfb78fcc632a3dfe5e45894c4417c06a3511
SHA512eed7c3ffcbb10d609720389098139832a0e0249b08832d7bb0974cae1d0d24a45a12f24d6a7a36fd39156b701f6fc1abfc01a1e38a19ca442a76d795ea506b49
-
memory/472-63-0x0000000000000000-mapping.dmp
-
memory/568-66-0x000000000043761E-mapping.dmp
-
memory/568-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/568-69-0x00000000021E0000-0x00000000021E1000-memory.dmpFilesize
4KB
-
memory/748-60-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/748-61-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/748-62-0x00000000007D1000-0x00000000007D2000-memory.dmpFilesize
4KB
-
memory/1876-68-0x0000000000000000-mapping.dmp
-
memory/1876-71-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB