Analysis
-
max time kernel
149s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:25
Static task
static1
Behavioral task
behavioral1
Sample
emiratenbd_swift_mt103.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
emiratenbd_swift_mt103.exe
Resource
win10v2004-20220414-en
General
-
Target
emiratenbd_swift_mt103.exe
-
Size
671KB
-
MD5
01b5201376abbbc0296f96d9036fc563
-
SHA1
408eca35decfeaa6dad261b10819df717e111b89
-
SHA256
e71642990d5d7a50d9495bdc23ea33543fe7a27e33becd9ec7c021be2bb45494
-
SHA512
e09a6ecfaeb497550be869053348354be2682b92b104f95c5d722c7b4ea328d1ec49f4e59899de1a158f2d49a48e009a91bd42957994460cb97c8f988465bbae
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.khokhwmeshmesh.com - Port:
587 - Username:
hr@khokhwmeshmesh.com - Password:
hr@kmc1800066
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/916-57-0x0000000000390000-0x0000000000398000-memory.dmp coreentity -
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/632-65-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/632-64-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/632-66-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/632-67-0x000000000044CE3E-mapping.dmp family_agenttesla behavioral1/memory/632-69-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/632-71-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/916-58-0x00000000054D0000-0x000000000552A000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
emiratenbd_swift_mt103.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion emiratenbd_swift_mt103.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion emiratenbd_swift_mt103.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
emiratenbd_swift_mt103.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum emiratenbd_swift_mt103.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 emiratenbd_swift_mt103.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
emiratenbd_swift_mt103.exedescription pid process target process PID 916 set thread context of 632 916 emiratenbd_swift_mt103.exe emiratenbd_swift_mt103.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
emiratenbd_swift_mt103.exeemiratenbd_swift_mt103.exepid process 916 emiratenbd_swift_mt103.exe 632 emiratenbd_swift_mt103.exe 632 emiratenbd_swift_mt103.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
emiratenbd_swift_mt103.exeemiratenbd_swift_mt103.exedescription pid process Token: SeDebugPrivilege 916 emiratenbd_swift_mt103.exe Token: SeDebugPrivilege 632 emiratenbd_swift_mt103.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
emiratenbd_swift_mt103.exedescription pid process target process PID 916 wrote to memory of 744 916 emiratenbd_swift_mt103.exe schtasks.exe PID 916 wrote to memory of 744 916 emiratenbd_swift_mt103.exe schtasks.exe PID 916 wrote to memory of 744 916 emiratenbd_swift_mt103.exe schtasks.exe PID 916 wrote to memory of 744 916 emiratenbd_swift_mt103.exe schtasks.exe PID 916 wrote to memory of 632 916 emiratenbd_swift_mt103.exe emiratenbd_swift_mt103.exe PID 916 wrote to memory of 632 916 emiratenbd_swift_mt103.exe emiratenbd_swift_mt103.exe PID 916 wrote to memory of 632 916 emiratenbd_swift_mt103.exe emiratenbd_swift_mt103.exe PID 916 wrote to memory of 632 916 emiratenbd_swift_mt103.exe emiratenbd_swift_mt103.exe PID 916 wrote to memory of 632 916 emiratenbd_swift_mt103.exe emiratenbd_swift_mt103.exe PID 916 wrote to memory of 632 916 emiratenbd_swift_mt103.exe emiratenbd_swift_mt103.exe PID 916 wrote to memory of 632 916 emiratenbd_swift_mt103.exe emiratenbd_swift_mt103.exe PID 916 wrote to memory of 632 916 emiratenbd_swift_mt103.exe emiratenbd_swift_mt103.exe PID 916 wrote to memory of 632 916 emiratenbd_swift_mt103.exe emiratenbd_swift_mt103.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\emiratenbd_swift_mt103.exe"C:\Users\Admin\AppData\Local\Temp\emiratenbd_swift_mt103.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mYSfqBWV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD15.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\emiratenbd_swift_mt103.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFD15.tmpFilesize
1KB
MD537d28ada48e9384f8fe9a9ddb880eb0e
SHA1500534b584ca15d04abe7e3c7586ab2588109719
SHA256bb366852894cafe10364e9ac3bc1652a1199206b7a35a980518d202970c79a63
SHA5120befb6f6e864e9a151f01ca8733d7ca400ed8782889db38260189320e9f7e3efede70f7328083a15c1b7d1d90fd8a1fd611247be1f8762fb014a1775fc6af212
-
memory/632-65-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/632-66-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/632-71-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/632-69-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/632-67-0x000000000044CE3E-mapping.dmp
-
memory/632-64-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/632-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/632-62-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/744-59-0x0000000000000000-mapping.dmp
-
memory/916-54-0x0000000000DC0000-0x0000000000E6E000-memory.dmpFilesize
696KB
-
memory/916-55-0x00000000004E0000-0x0000000000540000-memory.dmpFilesize
384KB
-
memory/916-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/916-58-0x00000000054D0000-0x000000000552A000-memory.dmpFilesize
360KB
-
memory/916-57-0x0000000000390000-0x0000000000398000-memory.dmpFilesize
32KB