Analysis
-
max time kernel
153s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:44
General
-
Target
SWIFT.exe
-
Size
766KB
-
MD5
c7685d6c04940a9a9bdce7645ad5121d
-
SHA1
352ad790c8582959f43c453d4918f02a0333afdc
-
SHA256
0c39b4af77c7279bf8a36e9e337f0ca1af96ca31c1fda5599c5dc8183118e54c
-
SHA512
71ddb906085282566d41c2527a721013349e4c7df6cfd676584c03702c789d9313dcb1363679af78ce57123129491bb657c9c60c34cda262fe0ff4d05140ea61
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.aquariuslogistics.com - Port:
587 - Username:
[email protected] - Password:
AQL@2019#$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vTIClpBZBl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC8A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDC8A.tmpFilesize
1KB
MD5d3922f7ce1c5d12072d269a08d11cd44
SHA163dd559576c384e089c91fe1b7f63a41291c869d
SHA25607ff16eaca9441d0957e516cbde61ca4fa34a78510e69a25be578a44fbf683f4
SHA512a94143e4bd09eb42db223ab841e25c3dcd864059ac39a215eac34bee8dc8883899c152c19d67487be381e831f786e384551a9d2713f47f346ea11b424a3d5298
-
memory/916-55-0x00000000006D0000-0x00000000006DA000-memory.dmpFilesize
40KB
-
memory/916-56-0x0000000007120000-0x000000000719C000-memory.dmpFilesize
496KB
-
memory/916-54-0x0000000000200000-0x00000000002C4000-memory.dmpFilesize
784KB
-
memory/1960-65-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1960-59-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1960-60-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1960-62-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1960-64-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1960-66-0x00000000004472EE-mapping.dmp
-
memory/1960-68-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1960-70-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1960-71-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1992-57-0x0000000000000000-mapping.dmp