Analysis
-
max time kernel
119s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 11:14
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY FOR URGENT RESPONSE.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
SWIFT COPY FOR URGENT RESPONSE.exe
Resource
win10-en-20210920
General
-
Target
SWIFT COPY FOR URGENT RESPONSE.exe
-
Size
539KB
-
MD5
634657bd61352689f76e1ad691f569f8
-
SHA1
0c3a0c59080e59b29bee05fa871e77c5e5e221f1
-
SHA256
04c14c005ffff7fc3b47a608e6945310305d81958813b5e3552250e6823ff766
-
SHA512
22bac142024a844560a10f96c3297acf52c57bbd3a4b9cf34e6b80c78675b6b478402527692cd6f7dd27759ceec9b250813d7da4adf94b715fb4723f7b5b987a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.grodno.by - Port:
587 - Username:
vrkyl@mail.grodno.by - Password:
9qd8$2NonPD
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3348-119-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3348-120-0x00000000004374AE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT COPY FOR URGENT RESPONSE.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT COPY FOR URGENT RESPONSE.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT COPY FOR URGENT RESPONSE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exedescription pid process target process PID 4372 set thread context of 3348 4372 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exeSWIFT COPY FOR URGENT RESPONSE.exepid process 4372 SWIFT COPY FOR URGENT RESPONSE.exe 3348 SWIFT COPY FOR URGENT RESPONSE.exe 3348 SWIFT COPY FOR URGENT RESPONSE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exeSWIFT COPY FOR URGENT RESPONSE.exedescription pid process Token: SeDebugPrivilege 4372 SWIFT COPY FOR URGENT RESPONSE.exe Token: SeDebugPrivilege 3348 SWIFT COPY FOR URGENT RESPONSE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exepid process 3348 SWIFT COPY FOR URGENT RESPONSE.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exedescription pid process target process PID 4372 wrote to memory of 4656 4372 SWIFT COPY FOR URGENT RESPONSE.exe schtasks.exe PID 4372 wrote to memory of 4656 4372 SWIFT COPY FOR URGENT RESPONSE.exe schtasks.exe PID 4372 wrote to memory of 4656 4372 SWIFT COPY FOR URGENT RESPONSE.exe schtasks.exe PID 4372 wrote to memory of 3348 4372 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 4372 wrote to memory of 3348 4372 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 4372 wrote to memory of 3348 4372 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 4372 wrote to memory of 3348 4372 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 4372 wrote to memory of 3348 4372 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 4372 wrote to memory of 3348 4372 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 4372 wrote to memory of 3348 4372 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe PID 4372 wrote to memory of 3348 4372 SWIFT COPY FOR URGENT RESPONSE.exe SWIFT COPY FOR URGENT RESPONSE.exe -
outlook_office_path 1 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT COPY FOR URGENT RESPONSE.exe -
outlook_win_path 1 IoCs
Processes:
SWIFT COPY FOR URGENT RESPONSE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT COPY FOR URGENT RESPONSE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY FOR URGENT RESPONSE.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT COPY FOR URGENT RESPONSE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BNurTdbuLCTOA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F35.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY FOR URGENT RESPONSE.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SWIFT COPY FOR URGENT RESPONSE.exe.logMD5
568e6f2b186c39075772d775e4189f57
SHA102f642cfdd1491b1ce69e81925ed336975e2f972
SHA256d29bbfbb510acd8716133feeade8f914076963ccc38abb4b5a64a8d32bac44e4
SHA512ef3b7f6d6b355c41ca9abb40d769622ea3f79787d8d2501ad5a135fa5cc78712175190386c8e05ee863a3bc046bc09eee22310555d31e4d57a4652f280283156
-
C:\Users\Admin\AppData\Local\Temp\tmp4F35.tmpMD5
1ce03da7fab7469ec4629b91bdb7932f
SHA17c0b7d8d1563bfff645b8546c93ed37c5a3f326c
SHA2560b765c17ba6dc91661493695537614ae85f04dd81ca28e963b1d84c4369c0690
SHA5129efb2d7a7baba48435c06011c67f36db2069a80bac86d8d0dd079a9df2cec25818db109ccd1d1559bacaa27c41f471e897c47fa452fb2d91181351bc566fe55d
-
memory/3348-119-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3348-120-0x00000000004374AE-mapping.dmp
-
memory/3348-122-0x00000000017F0000-0x00000000017F1000-memory.dmpFilesize
4KB
-
memory/3348-123-0x00000000017F1000-0x00000000017F2000-memory.dmpFilesize
4KB
-
memory/3348-124-0x00000000017F2000-0x00000000017F3000-memory.dmpFilesize
4KB
-
memory/4372-115-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/4372-116-0x0000000002572000-0x0000000002574000-memory.dmpFilesize
8KB
-
memory/4656-117-0x0000000000000000-mapping.dmp