Overview

overview

10

Static

static

SWIFT COPY...SE.exe

windows7_x64

10

SWIFT COPY...SE.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    22-10-2021 11:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT COPY FOR URGENT RESPONSE.exe

  • Size

    539KB

  • MD5

    634657bd61352689f76e1ad691f569f8

  • SHA1

    0c3a0c59080e59b29bee05fa871e77c5e5e221f1

  • SHA256

    04c14c005ffff7fc3b47a608e6945310305d81958813b5e3552250e6823ff766

  • SHA512

    22bac142024a844560a10f96c3297acf52c57bbd3a4b9cf34e6b80c78675b6b478402527692cd6f7dd27759ceec9b250813d7da4adf94b715fb4723f7b5b987a

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.grodno.by
  • Port:
    587
  • Username:
    vrkyl@mail.grodno.by
  • Password:
    9qd8$2NonPD

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SWIFT COPY FOR URGENT RESPONSE.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY FOR URGENT RESPONSE.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BNurTdbuLCTOA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A97.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1432
    • C:\Users\Admin\AppData\Local\Temp\SWIFT COPY FOR URGENT RESPONSE.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 520
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4A97.tmp
    MD5

    e326ff7639700e89e7e22ebcf9dbbf94

    SHA1

    07aef94d081b0b6cc2b5ea2a20b0edf94ccbf903

    SHA256

    8b6cc696edc19bcd02b507c51120f04bf74c626674ea3f0ea54bba8e32bc9451

    SHA512

    ca7071005244cba16c520e9abbd02701a98307e369698a2cada5065ddbc11db7118cbd0fd1cd0ed8a0a2a18585c5839f4db10a3a21051daba19eccabff2d17b0

    Download Submit
  • memory/792-70-0x0000000001CD0000-0x0000000001CD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-68-0x0000000000000000-mapping.dmp
    Download
  • memory/820-64-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/820-60-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/820-61-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/820-62-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/820-63-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/820-65-0x00000000004374AE-mapping.dmp
    Download
  • memory/820-67-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1360-58-0x0000000000BE1000-0x0000000000BE2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1360-55-0x0000000074F61000-0x0000000074F63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1360-56-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1432-57-0x0000000000000000-mapping.dmp
    Download