Analysis
-
max time kernel
128s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:42
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.pdf.. (2).exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Swift copy.pdf.. (2).exe
Resource
win10v2004-20220414-en
General
-
Target
Swift copy.pdf.. (2).exe
-
Size
726KB
-
MD5
d6f16dcc168e50d0f56ab75145967baa
-
SHA1
53e0b0dc082921fd979bcdaf51e22d57c13e35d7
-
SHA256
a63ac2c19153c340a54a2be27ac53722f5c5a653fd851b32931add8fe353c6c3
-
SHA512
ec36263b3df765414755641f32c0c9af54017140e406886514e94c2ac82d9c38d00c0cf7341d7e84df348c66a44de6b49167d7ff4344dd9139267739318f8ffa
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.stankovic.hr - Port:
587 - Username:
[email protected] - Password:
mp58zg
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1476-64-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1476-65-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1476-66-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1476-67-0x000000000044729E-mapping.dmp family_agenttesla behavioral1/memory/1476-69-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1476-71-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\oPLNOE = "C:\\Users\\Admin\\AppData\\Roaming\\oPLNOE\\oPLNOE.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift copy.pdf.. (2).exedescription pid process target process PID 1492 set thread context of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Swift copy.pdf.. (2).exeRegSvcs.exepid process 1492 Swift copy.pdf.. (2).exe 1492 Swift copy.pdf.. (2).exe 1492 Swift copy.pdf.. (2).exe 1476 RegSvcs.exe 1476 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Swift copy.pdf.. (2).exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1492 Swift copy.pdf.. (2).exe Token: SeDebugPrivilege 1476 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Swift copy.pdf.. (2).exeRegSvcs.exedescription pid process target process PID 1492 wrote to memory of 2024 1492 Swift copy.pdf.. (2).exe schtasks.exe PID 1492 wrote to memory of 2024 1492 Swift copy.pdf.. (2).exe schtasks.exe PID 1492 wrote to memory of 2024 1492 Swift copy.pdf.. (2).exe schtasks.exe PID 1492 wrote to memory of 2024 1492 Swift copy.pdf.. (2).exe schtasks.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1492 wrote to memory of 1476 1492 Swift copy.pdf.. (2).exe RegSvcs.exe PID 1476 wrote to memory of 1972 1476 RegSvcs.exe REG.exe PID 1476 wrote to memory of 1972 1476 RegSvcs.exe REG.exe PID 1476 wrote to memory of 1972 1476 RegSvcs.exe REG.exe PID 1476 wrote to memory of 1972 1476 RegSvcs.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.pdf.. (2).exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.pdf.. (2).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmpFilesize
1KB
MD5d2aa72e1e0a9b7dcb81af5082540153a
SHA169f84c985fea812daa2fcfd1941a7d60facb4a7e
SHA256c7a368be198491672c06e17b5626878b39a06de3bb28c0f028cc3aff46e43d3d
SHA512541bbb3c838c14bfc2c91d1394a99a72f76ad8c3534da1215336ffdc3d63922d456af573ced60d5dff7f9e70fc1f7c8f3cd8ad997374356ecb784695ea312692
-
memory/1476-67-0x000000000044729E-mapping.dmp
-
memory/1476-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1476-71-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1476-69-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1476-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1476-65-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1476-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1476-64-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1492-56-0x0000000000430000-0x0000000000438000-memory.dmpFilesize
32KB
-
memory/1492-55-0x0000000074C81000-0x0000000074C83000-memory.dmpFilesize
8KB
-
memory/1492-54-0x00000000000F0000-0x00000000001AC000-memory.dmpFilesize
752KB
-
memory/1492-58-0x0000000004F20000-0x0000000004F76000-memory.dmpFilesize
344KB
-
memory/1492-57-0x00000000047F0000-0x0000000004864000-memory.dmpFilesize
464KB
-
memory/1972-73-0x0000000000000000-mapping.dmp
-
memory/2024-59-0x0000000000000000-mapping.dmp