Analysis
-
max time kernel
135s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:21
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.xls.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Swift copy.xls.exe
Resource
win10v2004-20220414-en
General
-
Target
Swift copy.xls.exe
-
Size
705KB
-
MD5
02b4cd91c80eb6395d1329beb9e20d15
-
SHA1
dd02b4a3c4e10fe21d4276e5d1e37eeb7ba38e3b
-
SHA256
0ccd73a94d46ffb3f88ab74256197c9cb5e15d87f017b5752ee557985138c1b4
-
SHA512
c16e27c117447765148b7e9999d4b01a70fb59a9b1e70c607e7c350e3967b92d0361c508b00c8a56994af49a1aad03525e959abd677a1fd19b7605b24071d014
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.blc.com.np - Port:
587 - Username:
[email protected] - Password:
bhuramal
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1292-64-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1292-65-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1292-66-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1292-67-0x0000000000446EEE-mapping.dmp family_agenttesla behavioral1/memory/1292-69-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1292-71-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvWCA = "C:\\Users\\Admin\\AppData\\Roaming\\AvWCA\\AvWCA.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift copy.xls.exedescription pid process target process PID 1092 set thread context of 1292 1092 Swift copy.xls.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Swift copy.xls.exeRegSvcs.exepid process 1092 Swift copy.xls.exe 1092 Swift copy.xls.exe 1092 Swift copy.xls.exe 1292 RegSvcs.exe 1292 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Swift copy.xls.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1092 Swift copy.xls.exe Token: SeDebugPrivilege 1292 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Swift copy.xls.exeRegSvcs.exedescription pid process target process PID 1092 wrote to memory of 1480 1092 Swift copy.xls.exe schtasks.exe PID 1092 wrote to memory of 1480 1092 Swift copy.xls.exe schtasks.exe PID 1092 wrote to memory of 1480 1092 Swift copy.xls.exe schtasks.exe PID 1092 wrote to memory of 1480 1092 Swift copy.xls.exe schtasks.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1092 wrote to memory of 1292 1092 Swift copy.xls.exe RegSvcs.exe PID 1292 wrote to memory of 1912 1292 RegSvcs.exe REG.exe PID 1292 wrote to memory of 1912 1292 RegSvcs.exe REG.exe PID 1292 wrote to memory of 1912 1292 RegSvcs.exe REG.exe PID 1292 wrote to memory of 1912 1292 RegSvcs.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.xls.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.xls.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iaXmbTAUg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5C0.tmp"2⤵
- Creates scheduled task(s)
PID:1480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1292 -
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
PID:1912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC5C0.tmpFilesize
1KB
MD5931716f2020e60f219be107f00fb7f64
SHA181fe5fc470eb989c2be79bbdcd25181861399ec8
SHA25620c767731e62336be37403499d7bdfff579ae77172715c44273eb066a3029b4c
SHA512470861d033a6a43abf11a307084a5c2b6dd7086175c37c4a74907ccf0266f3684d3d1533016f115fd1d9753f00c8a1379cf5218339b7d602e060e6ba061e9796
-
memory/1092-55-0x0000000074C81000-0x0000000074C83000-memory.dmpFilesize
8KB
-
memory/1092-56-0x00000000005C0000-0x00000000005D0000-memory.dmpFilesize
64KB
-
memory/1092-57-0x0000000000C00000-0x0000000000C60000-memory.dmpFilesize
384KB
-
memory/1092-58-0x0000000000B70000-0x0000000000BBC000-memory.dmpFilesize
304KB
-
memory/1092-54-0x0000000000F10000-0x0000000000FC6000-memory.dmpFilesize
728KB
-
memory/1292-65-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1292-64-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1292-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1292-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1292-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1292-67-0x0000000000446EEE-mapping.dmp
-
memory/1292-69-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1292-71-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1480-59-0x0000000000000000-mapping.dmp
-
memory/1912-73-0x0000000000000000-mapping.dmp