Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:33
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.pdf,....exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Swift copy.pdf,....exe
Resource
win10v2004-20220414-en
General
-
Target
Swift copy.pdf,....exe
-
Size
611KB
-
MD5
046396ed46cad7eb60175d3c8e5ef031
-
SHA1
62fdb0cc9ed8ce1670c4eee6220d489927fa3b89
-
SHA256
0af16f11d3c4f8de65e4a6edba5d3ae82ea4e1b5a4ad5017b4e6363884998488
-
SHA512
3d63fdf4a92d9218cc8c4e6c167963a361436ea9a55d663c2ffc435a7adbef7dfa56876b0b55dfaa57f2f725d0ce84c6d85d7f07583e2d1bddb82b371f2867fc
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ffiegypt.com - Port:
587 - Username:
[email protected] - Password:
12345678az
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1832-138-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Swift copy.pdf,....exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Swift copy.pdf,....exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvWCA = "C:\\Users\\Admin\\AppData\\Roaming\\AvWCA\\AvWCA.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift copy.pdf,....exedescription pid process target process PID 2696 set thread context of 1832 2696 Swift copy.pdf,....exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Swift copy.pdf,....exeRegSvcs.exepid process 2696 Swift copy.pdf,....exe 2696 Swift copy.pdf,....exe 2696 Swift copy.pdf,....exe 2696 Swift copy.pdf,....exe 1832 RegSvcs.exe 1832 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Swift copy.pdf,....exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2696 Swift copy.pdf,....exe Token: SeDebugPrivilege 1832 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Swift copy.pdf,....exeRegSvcs.exedescription pid process target process PID 2696 wrote to memory of 224 2696 Swift copy.pdf,....exe schtasks.exe PID 2696 wrote to memory of 224 2696 Swift copy.pdf,....exe schtasks.exe PID 2696 wrote to memory of 224 2696 Swift copy.pdf,....exe schtasks.exe PID 2696 wrote to memory of 1832 2696 Swift copy.pdf,....exe RegSvcs.exe PID 2696 wrote to memory of 1832 2696 Swift copy.pdf,....exe RegSvcs.exe PID 2696 wrote to memory of 1832 2696 Swift copy.pdf,....exe RegSvcs.exe PID 2696 wrote to memory of 1832 2696 Swift copy.pdf,....exe RegSvcs.exe PID 2696 wrote to memory of 1832 2696 Swift copy.pdf,....exe RegSvcs.exe PID 2696 wrote to memory of 1832 2696 Swift copy.pdf,....exe RegSvcs.exe PID 2696 wrote to memory of 1832 2696 Swift copy.pdf,....exe RegSvcs.exe PID 2696 wrote to memory of 1832 2696 Swift copy.pdf,....exe RegSvcs.exe PID 1832 wrote to memory of 3516 1832 RegSvcs.exe REG.exe PID 1832 wrote to memory of 3516 1832 RegSvcs.exe REG.exe PID 1832 wrote to memory of 3516 1832 RegSvcs.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.pdf,....exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.pdf,....exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PoWDGuAorsQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A2.tmp"2⤵
- Creates scheduled task(s)
PID:224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1832 -
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
PID:3516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6A2.tmpFilesize
1KB
MD52236d4a4e1f2c706cf435dfd68833c4a
SHA13d36aabcce518adef02b552be4a7d3d41116c7f1
SHA256fb5a72ab5ecd7e2bdaa3c941956dbaf66933c8e9a068364cca8d838cb8de908e
SHA51235d8364df36b5d054269fe4bd3fa63e7420b2d657e8d7f6135f28af557d36c0e3ac26b1b46e66965bc12a3e2be16c7782e14063d739e1d1a4e7db876541fbdf5
-
memory/224-135-0x0000000000000000-mapping.dmp
-
memory/1832-137-0x0000000000000000-mapping.dmp
-
memory/1832-138-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1832-139-0x00000000066D0000-0x0000000006736000-memory.dmpFilesize
408KB
-
memory/1832-140-0x0000000006EA0000-0x0000000006EF0000-memory.dmpFilesize
320KB
-
memory/2696-130-0x0000000000F80000-0x000000000101E000-memory.dmpFilesize
632KB
-
memory/2696-131-0x0000000006080000-0x0000000006624000-memory.dmpFilesize
5.6MB
-
memory/2696-132-0x00000000059E0000-0x0000000005A72000-memory.dmpFilesize
584KB
-
memory/2696-133-0x00000000059B0000-0x00000000059BA000-memory.dmpFilesize
40KB
-
memory/2696-134-0x0000000005CA0000-0x0000000005D3C000-memory.dmpFilesize
624KB
-
memory/3516-141-0x0000000000000000-mapping.dmp