Analysis
-
max time kernel
149s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:13
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Swift copy.exe
Resource
win10v2004-20220414-en
General
-
Target
Swift copy.exe
-
Size
754KB
-
MD5
07c4b11a9ae9fa3e3aaf32d4573ed3d0
-
SHA1
10cc46bddfba53ee47579252672470f84a3e3853
-
SHA256
ac91a92482a83fc39b66e0e3f6c46839fd77d16316c38830a9921ca707e824af
-
SHA512
92cbfe7748ec29b1ee860a4e7fbfa9385b37b91ca5771cd1e92884c9085f8882f6d14805b4cd8c4daeb975b3c518a9ada92419b91b5f3ea5e0047d135ff1e461
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dicera.com - Port:
587 - Username:
[email protected] - Password:
796147
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/988-62-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/988-61-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/988-63-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/988-64-0x000000000045371E-mapping.dmp family_agenttesla behavioral1/memory/988-66-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/988-68-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Swift copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift copy.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift copy.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift copy.exedescription pid process target process PID 108 set thread context of 988 108 Swift copy.exe Swift copy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Swift copy.exepid process 988 Swift copy.exe 988 Swift copy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Swift copy.exedescription pid process Token: SeDebugPrivilege 988 Swift copy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Swift copy.exepid process 988 Swift copy.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Swift copy.exedescription pid process target process PID 108 wrote to memory of 1132 108 Swift copy.exe schtasks.exe PID 108 wrote to memory of 1132 108 Swift copy.exe schtasks.exe PID 108 wrote to memory of 1132 108 Swift copy.exe schtasks.exe PID 108 wrote to memory of 1132 108 Swift copy.exe schtasks.exe PID 108 wrote to memory of 988 108 Swift copy.exe Swift copy.exe PID 108 wrote to memory of 988 108 Swift copy.exe Swift copy.exe PID 108 wrote to memory of 988 108 Swift copy.exe Swift copy.exe PID 108 wrote to memory of 988 108 Swift copy.exe Swift copy.exe PID 108 wrote to memory of 988 108 Swift copy.exe Swift copy.exe PID 108 wrote to memory of 988 108 Swift copy.exe Swift copy.exe PID 108 wrote to memory of 988 108 Swift copy.exe Swift copy.exe PID 108 wrote to memory of 988 108 Swift copy.exe Swift copy.exe PID 108 wrote to memory of 988 108 Swift copy.exe Swift copy.exe -
outlook_office_path 1 IoCs
Processes:
Swift copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift copy.exe -
outlook_win_path 1 IoCs
Processes:
Swift copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jITnqkiWCFleV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EF3.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5EF3.tmpFilesize
1KB
MD5510ca0e876d027272d1f1e68e7d6da5d
SHA15b97fa40d86e7c52e3b043e52c7c8381a2641d40
SHA256f16051b5ef22e106ff200847c22cbe56eab04ed856b26a42519eaa74450640fc
SHA51271a0523871f55eedf31ce7913968afd74efb60e2ba267949869177ca06ce2b0ab010abc6df44bf7beea83194f384868b340b9ad4fe2cc891e82ccc31d28b62a2
-
memory/108-55-0x00000000741E0000-0x000000007478B000-memory.dmpFilesize
5.7MB
-
memory/108-54-0x0000000075A61000-0x0000000075A63000-memory.dmpFilesize
8KB
-
memory/988-62-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/988-58-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/988-59-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/988-61-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/988-63-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/988-64-0x000000000045371E-mapping.dmp
-
memory/988-66-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/988-68-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/988-70-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1132-56-0x0000000000000000-mapping.dmp