Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:44
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SWIFT.exe
Resource
win10v2004-20220414-en
General
-
Target
SWIFT.exe
-
Size
766KB
-
MD5
c7685d6c04940a9a9bdce7645ad5121d
-
SHA1
352ad790c8582959f43c453d4918f02a0333afdc
-
SHA256
0c39b4af77c7279bf8a36e9e337f0ca1af96ca31c1fda5599c5dc8183118e54c
-
SHA512
71ddb906085282566d41c2527a721013349e4c7df6cfd676584c03702c789d9313dcb1363679af78ce57123129491bb657c9c60c34cda262fe0ff4d05140ea61
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.aquariuslogistics.com - Port:
587 - Username:
[email protected] - Password:
AQL@2019#$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4552-137-0x0000000000400000-0x0000000000474000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SWIFT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation SWIFT.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sLbGMVN = "C:\\Users\\Admin\\AppData\\Roaming\\sLbGMVN\\sLbGMVN.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT.exedescription pid process target process PID 728 set thread context of 4552 728 SWIFT.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 4552 RegSvcs.exe 4552 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4552 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SWIFT.exedescription pid process target process PID 728 wrote to memory of 2616 728 SWIFT.exe schtasks.exe PID 728 wrote to memory of 2616 728 SWIFT.exe schtasks.exe PID 728 wrote to memory of 2616 728 SWIFT.exe schtasks.exe PID 728 wrote to memory of 4552 728 SWIFT.exe RegSvcs.exe PID 728 wrote to memory of 4552 728 SWIFT.exe RegSvcs.exe PID 728 wrote to memory of 4552 728 SWIFT.exe RegSvcs.exe PID 728 wrote to memory of 4552 728 SWIFT.exe RegSvcs.exe PID 728 wrote to memory of 4552 728 SWIFT.exe RegSvcs.exe PID 728 wrote to memory of 4552 728 SWIFT.exe RegSvcs.exe PID 728 wrote to memory of 4552 728 SWIFT.exe RegSvcs.exe PID 728 wrote to memory of 4552 728 SWIFT.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vTIClpBZBl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE109.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE109.tmpFilesize
1KB
MD5db5c7a26ef6f68407fd0e7d352c069ff
SHA1ae80bb7f1f8272dc166f82698ba1f643bce2488e
SHA256d8bc6954f54cea8ce1f4babe804b1c060c6d486234d0630fafb66d3246529e48
SHA512574049dc128938a5258dc6b5826a53dd2a1995400aaad3baedef2da37f7c60cbdabf4421e975f491b3e92d0460f85baefa086acbca3ebb33826e1b35e15f1f3d
-
memory/728-130-0x0000000000FB0000-0x0000000001074000-memory.dmpFilesize
784KB
-
memory/728-131-0x0000000008460000-0x0000000008A04000-memory.dmpFilesize
5.6MB
-
memory/728-132-0x0000000007F50000-0x0000000007FE2000-memory.dmpFilesize
584KB
-
memory/728-133-0x0000000007FF0000-0x000000000808C000-memory.dmpFilesize
624KB
-
memory/2616-134-0x0000000000000000-mapping.dmp
-
memory/4552-136-0x0000000000000000-mapping.dmp
-
memory/4552-137-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/4552-138-0x00000000056D0000-0x0000000005736000-memory.dmpFilesize
408KB
-
memory/4552-139-0x0000000006340000-0x0000000006390000-memory.dmpFilesize
320KB