Analysis
-
max time kernel
131s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 12:27
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT MESSAGE.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SWIFT MESSAGE.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
SWIFT MESSAGE.exe
-
Size
506KB
-
MD5
94fe630521bac270adea7c1294f4ae7f
-
SHA1
d293a7fc184463352bebabdee5bc38bad3d4d17b
-
SHA256
3a8466544aac37ad923d7d14581f14647657a62f66cf1d7e05ed845f24e03111
-
SHA512
afd2add56b9af9eef92a7b65d29f0698b41f90c7cd83657189bd186a15011dac4956ec8f91159073ea4749261642df7fb6abba8cfbb7ef0c65bf960b6ad5bca4
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.scsgroups.com - Port:
587 - Username:
sales@scsgroups.com - Password:
Scs@sales#123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4528-128-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/4528-129-0x000000000043764E-mapping.dmp family_agenttesla behavioral2/memory/4528-134-0x0000000005060000-0x000000000555E000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT MESSAGE.exedescription pid process target process PID 3644 set thread context of 4528 3644 SWIFT MESSAGE.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SWIFT MESSAGE.exeRegSvcs.exepid process 3644 SWIFT MESSAGE.exe 3644 SWIFT MESSAGE.exe 4528 RegSvcs.exe 4528 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SWIFT MESSAGE.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3644 SWIFT MESSAGE.exe Token: SeDebugPrivilege 4528 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SWIFT MESSAGE.exedescription pid process target process PID 3644 wrote to memory of 4528 3644 SWIFT MESSAGE.exe RegSvcs.exe PID 3644 wrote to memory of 4528 3644 SWIFT MESSAGE.exe RegSvcs.exe PID 3644 wrote to memory of 4528 3644 SWIFT MESSAGE.exe RegSvcs.exe PID 3644 wrote to memory of 4528 3644 SWIFT MESSAGE.exe RegSvcs.exe PID 3644 wrote to memory of 4528 3644 SWIFT MESSAGE.exe RegSvcs.exe PID 3644 wrote to memory of 4528 3644 SWIFT MESSAGE.exe RegSvcs.exe PID 3644 wrote to memory of 4528 3644 SWIFT MESSAGE.exe RegSvcs.exe PID 3644 wrote to memory of 4528 3644 SWIFT MESSAGE.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT MESSAGE.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT MESSAGE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3644-118-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/3644-120-0x0000000005D90000-0x0000000005D91000-memory.dmpFilesize
4KB
-
memory/3644-121-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/3644-122-0x0000000001B50000-0x0000000001B51000-memory.dmpFilesize
4KB
-
memory/3644-123-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/3644-124-0x0000000005D80000-0x0000000005D88000-memory.dmpFilesize
32KB
-
memory/3644-125-0x0000000007CC0000-0x0000000007CC1000-memory.dmpFilesize
4KB
-
memory/3644-126-0x0000000007D20000-0x0000000007D21000-memory.dmpFilesize
4KB
-
memory/3644-127-0x0000000007B50000-0x0000000007BBA000-memory.dmpFilesize
424KB
-
memory/4528-128-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4528-129-0x000000000043764E-mapping.dmp
-
memory/4528-134-0x0000000005060000-0x000000000555E000-memory.dmpFilesize
5.0MB
-
memory/4528-135-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/4528-136-0x0000000005C50000-0x0000000005C51000-memory.dmpFilesize
4KB