Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
22-10-2021 11:14
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY FOR URGENT RESPONSE.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
SWIFT COPY FOR URGENT RESPONSE.exe
Resource
win10-en-20210920
General
-
Target
SWIFT COPY FOR URGENT RESPONSE.exe
-
Size
539KB
-
MD5
634657bd61352689f76e1ad691f569f8
-
SHA1
0c3a0c59080e59b29bee05fa871e77c5e5e221f1
-
SHA256
04c14c005ffff7fc3b47a608e6945310305d81958813b5e3552250e6823ff766
-
SHA512
22bac142024a844560a10f96c3297acf52c57bbd3a4b9cf34e6b80c78675b6b478402527692cd6f7dd27759ceec9b250813d7da4adf94b715fb4723f7b5b987a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.grodno.by - Port:
587 - Username:
vrkyl@mail.grodno.by - Password:
9qd8$2NonPD
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/820-62-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/820-63-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/820-64-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/820-65-0x00000000004374AE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exedescription pid process target process PID 1360 set thread context of 820 1360 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exepid process 820 SWIFT COPY FOR URGENT RESPONSE.exe 820 SWIFT COPY FOR URGENT RESPONSE.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 792 dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exeSWIFT COPY FOR URGENT RESPONSE.exedescription pid process Token: SeDebugPrivilege 1360 SWIFT COPY FOR URGENT RESPONSE.exe Token: SeDebugPrivilege 820 SWIFT COPY FOR URGENT RESPONSE.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exeSWIFT COPY FOR URGENT RESPONSE.exedescription pid process target process PID 1360 wrote to memory of 1432 1360 SWIFT COPY FOR URGENT RESPONSE.exe schtasks.exe PID 1360 wrote to memory of 1432 1360 SWIFT COPY FOR URGENT RESPONSE.exe schtasks.exe PID 1360 wrote to memory of 1432 1360 SWIFT COPY FOR URGENT RESPONSE.exe schtasks.exe PID 1360 wrote to memory of 1432 1360 SWIFT COPY FOR URGENT RESPONSE.exe schtasks.exe PID 1360 wrote to memory of 820 1360 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 1360 wrote to memory of 820 1360 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 1360 wrote to memory of 820 1360 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 1360 wrote to memory of 820 1360 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 1360 wrote to memory of 820 1360 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 1360 wrote to memory of 820 1360 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 1360 wrote to memory of 820 1360 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 1360 wrote to memory of 820 1360 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 1360 wrote to memory of 820 1360 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 820 wrote to memory of 792 820 SWIFT COPY FOR URGENT RESPONSE.exe dw20.exe PID 820 wrote to memory of 792 820 SWIFT COPY FOR URGENT RESPONSE.exe dw20.exe PID 820 wrote to memory of 792 820 SWIFT COPY FOR URGENT RESPONSE.exe dw20.exe PID 820 wrote to memory of 792 820 SWIFT COPY FOR URGENT RESPONSE.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY FOR URGENT RESPONSE.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT COPY FOR URGENT RESPONSE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BNurTdbuLCTOA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A97.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY FOR URGENT RESPONSE.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5203⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4A97.tmpMD5
e326ff7639700e89e7e22ebcf9dbbf94
SHA107aef94d081b0b6cc2b5ea2a20b0edf94ccbf903
SHA2568b6cc696edc19bcd02b507c51120f04bf74c626674ea3f0ea54bba8e32bc9451
SHA512ca7071005244cba16c520e9abbd02701a98307e369698a2cada5065ddbc11db7118cbd0fd1cd0ed8a0a2a18585c5839f4db10a3a21051daba19eccabff2d17b0
-
memory/792-70-0x0000000001CD0000-0x0000000001CD1000-memory.dmpFilesize
4KB
-
memory/792-68-0x0000000000000000-mapping.dmp
-
memory/820-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/820-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/820-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/820-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/820-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/820-65-0x00000000004374AE-mapping.dmp
-
memory/820-67-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1360-58-0x0000000000BE1000-0x0000000000BE2000-memory.dmpFilesize
4KB
-
memory/1360-55-0x0000000074F61000-0x0000000074F63000-memory.dmpFilesize
8KB
-
memory/1360-56-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/1432-57-0x0000000000000000-mapping.dmp