Analysis
-
max time kernel
126s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:13
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Swift copy.exe
Resource
win10v2004-20220414-en
General
-
Target
Swift copy.exe
-
Size
754KB
-
MD5
07c4b11a9ae9fa3e3aaf32d4573ed3d0
-
SHA1
10cc46bddfba53ee47579252672470f84a3e3853
-
SHA256
ac91a92482a83fc39b66e0e3f6c46839fd77d16316c38830a9921ca707e824af
-
SHA512
92cbfe7748ec29b1ee860a4e7fbfa9385b37b91ca5771cd1e92884c9085f8882f6d14805b4cd8c4daeb975b3c518a9ada92419b91b5f3ea5e0047d135ff1e461
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dicera.com - Port:
587 - Username:
SalestoEurope@dicera.com - Password:
796147
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3988-134-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Swift copy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Swift copy.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Swift copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift copy.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift copy.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift copy.exedescription pid process target process PID 5004 set thread context of 3988 5004 Swift copy.exe Swift copy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Swift copy.exepid process 3988 Swift copy.exe 3988 Swift copy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Swift copy.exedescription pid process Token: SeDebugPrivilege 3988 Swift copy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Swift copy.exepid process 3988 Swift copy.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Swift copy.exedescription pid process target process PID 5004 wrote to memory of 4368 5004 Swift copy.exe schtasks.exe PID 5004 wrote to memory of 4368 5004 Swift copy.exe schtasks.exe PID 5004 wrote to memory of 4368 5004 Swift copy.exe schtasks.exe PID 5004 wrote to memory of 3988 5004 Swift copy.exe Swift copy.exe PID 5004 wrote to memory of 3988 5004 Swift copy.exe Swift copy.exe PID 5004 wrote to memory of 3988 5004 Swift copy.exe Swift copy.exe PID 5004 wrote to memory of 3988 5004 Swift copy.exe Swift copy.exe PID 5004 wrote to memory of 3988 5004 Swift copy.exe Swift copy.exe PID 5004 wrote to memory of 3988 5004 Swift copy.exe Swift copy.exe PID 5004 wrote to memory of 3988 5004 Swift copy.exe Swift copy.exe PID 5004 wrote to memory of 3988 5004 Swift copy.exe Swift copy.exe -
outlook_office_path 1 IoCs
Processes:
Swift copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift copy.exe -
outlook_win_path 1 IoCs
Processes:
Swift copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jITnqkiWCFleV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Swift copy.exe.logFilesize
496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede
-
C:\Users\Admin\AppData\Local\Temp\tmp7927.tmpFilesize
1KB
MD5ff7282b83d99e9d15a93072da1de577b
SHA14f9654ffc367839db197501d7e13cebd80f6f8db
SHA256a7787eb69fa54ce7c8d98e0af8589d335dd8daedfc911589ec1fbb17e0ccb3dc
SHA512586c8f008af83c5a612505dd1a848d851095f261a12ea3c737607d38a7d14b669ccb2107c93a4e559e9beb2945a226a8b0c67ab2c934290f028510bb50173685
-
memory/3988-133-0x0000000000000000-mapping.dmp
-
memory/3988-134-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3988-136-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/4368-131-0x0000000000000000-mapping.dmp
-
memory/5004-130-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB