Analysis
-
max time kernel
130s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:35
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SWIFT COPY.exe
Resource
win10v2004-20220414-en
General
-
Target
SWIFT COPY.exe
-
Size
455KB
-
MD5
0565d209758be998f0eb7b764dfa2f21
-
SHA1
f1b35ab78a4829ad9e516ce1f0f68c9facaf358b
-
SHA256
c7c9c54e67529a2afb9a46a715a308bbb4089a90891062585ed22b08e0a2eb2f
-
SHA512
3b7ef62a7e93bba4a856319acdd311494889ce65359dcc071491ada0a05f3c1cf1fcbfbf10627c34bc6a373788f5f4cf80351834946362862900ff8ad75a62e1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.consolprinting.com - Port:
587 - Username:
[email protected] - Password:
fin@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4148-136-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SWIFT COPY.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation SWIFT COPY.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SWIFT COPY.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT COPY.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT COPY.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT COPY.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SWIFT COPY.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe" SWIFT COPY.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT COPY.exedescription pid process target process PID 2424 set thread context of 4148 2424 SWIFT COPY.exe SWIFT COPY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
SWIFT COPY.exeSWIFT COPY.exepid process 2424 SWIFT COPY.exe 2424 SWIFT COPY.exe 2424 SWIFT COPY.exe 2424 SWIFT COPY.exe 2424 SWIFT COPY.exe 2424 SWIFT COPY.exe 4148 SWIFT COPY.exe 4148 SWIFT COPY.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
SWIFT COPY.exepid process 4148 SWIFT COPY.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SWIFT COPY.exeSWIFT COPY.exedescription pid process Token: SeDebugPrivilege 2424 SWIFT COPY.exe Token: SeDebugPrivilege 4148 SWIFT COPY.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SWIFT COPY.exedescription pid process target process PID 2424 wrote to memory of 4864 2424 SWIFT COPY.exe schtasks.exe PID 2424 wrote to memory of 4864 2424 SWIFT COPY.exe schtasks.exe PID 2424 wrote to memory of 4864 2424 SWIFT COPY.exe schtasks.exe PID 2424 wrote to memory of 4148 2424 SWIFT COPY.exe SWIFT COPY.exe PID 2424 wrote to memory of 4148 2424 SWIFT COPY.exe SWIFT COPY.exe PID 2424 wrote to memory of 4148 2424 SWIFT COPY.exe SWIFT COPY.exe PID 2424 wrote to memory of 4148 2424 SWIFT COPY.exe SWIFT COPY.exe PID 2424 wrote to memory of 4148 2424 SWIFT COPY.exe SWIFT COPY.exe PID 2424 wrote to memory of 4148 2424 SWIFT COPY.exe SWIFT COPY.exe PID 2424 wrote to memory of 4148 2424 SWIFT COPY.exe SWIFT COPY.exe PID 2424 wrote to memory of 4148 2424 SWIFT COPY.exe SWIFT COPY.exe -
outlook_office_path 1 IoCs
Processes:
SWIFT COPY.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT COPY.exe -
outlook_win_path 1 IoCs
Processes:
SWIFT COPY.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT COPY.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IuWFlD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1388.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT COPY.exe.logFilesize
412B
MD5ad1c7f6525cfeb54c0487efd38b0e26c
SHA1ed3da94723ac7e3828a9e93d68418bb810592f3b
SHA2560a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276
SHA51248d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c
-
C:\Users\Admin\AppData\Local\Temp\tmp1388.tmpFilesize
1KB
MD5120cdde5eda3271d58fcca5129bb5d1b
SHA15cd8d9a7fcd50105d147329f51d4a4ed1f8e2f08
SHA256765e157b1e2040471ad0d73e156626bdd690e9620a05f0c43224a20b60725d1b
SHA512ea9471683f835f88c6ab3ae0e2ae0513493e9f2053e4fb2aeac35897f0faa3c1667725c960bfb9c4d6162472c64ee7c0a8204e05113ac89e43c3fcfb92172bf5
-
memory/2424-130-0x0000000000200000-0x0000000000278000-memory.dmpFilesize
480KB
-
memory/2424-131-0x0000000004F50000-0x0000000004FEC000-memory.dmpFilesize
624KB
-
memory/2424-132-0x0000000005090000-0x0000000005122000-memory.dmpFilesize
584KB
-
memory/4148-135-0x0000000000000000-mapping.dmp
-
memory/4148-136-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4148-138-0x0000000005540000-0x0000000005AE4000-memory.dmpFilesize
5.6MB
-
memory/4148-139-0x0000000005EA0000-0x0000000005F06000-memory.dmpFilesize
408KB
-
memory/4148-140-0x0000000006690000-0x00000000066E0000-memory.dmpFilesize
320KB
-
memory/4864-133-0x0000000000000000-mapping.dmp