Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 01:18
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT REFERENCE.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SWIFT REFERENCE.exe
Resource
win10v2004-20220901-en
General
-
Target
SWIFT REFERENCE.exe
-
Size
595KB
-
MD5
ce1dffef051c2ce170cf5c5a83394021
-
SHA1
b7e89456fdf93efb3211d83a7ee4654bf9056bec
-
SHA256
927bf1f7d51aacd7c7e504a0dd55f933b0cf845fa76dbe28740689c1aadb79c1
-
SHA512
05c0bfcc146422724c95fcaaafa8b549adcc77b88b02c4593c80e3355b711f0bd9aa39d496b1c639905375a494b6d0e31f07cd8e02b14bbe28af534424f975cc
-
SSDEEP
12288:Mx3CupUoQ7IMwM8azw/lEpWt6XIZSABfUnnaDe84Km6/LKgupsQ8v4q483Z7i3EW:U6XIZSuUnagZ6/cg4nIlPW
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.orogenicgroup-bd.com - Port:
587 - Username:
[email protected] - Password:
Hossain$3400 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SWIFT REFERENCE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation SWIFT REFERENCE.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yGbzOMp = "C:\\Users\\Admin\\AppData\\Roaming\\yGbzOMp\\yGbzOMp.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT REFERENCE.exedescription pid process target process PID 4032 set thread context of 2984 4032 SWIFT REFERENCE.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SWIFT REFERENCE.exeRegSvcs.exepid process 4032 SWIFT REFERENCE.exe 2984 RegSvcs.exe 2984 RegSvcs.exe 2984 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SWIFT REFERENCE.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4032 SWIFT REFERENCE.exe Token: SeDebugPrivilege 2984 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SWIFT REFERENCE.exedescription pid process target process PID 4032 wrote to memory of 5100 4032 SWIFT REFERENCE.exe schtasks.exe PID 4032 wrote to memory of 5100 4032 SWIFT REFERENCE.exe schtasks.exe PID 4032 wrote to memory of 5100 4032 SWIFT REFERENCE.exe schtasks.exe PID 4032 wrote to memory of 2984 4032 SWIFT REFERENCE.exe RegSvcs.exe PID 4032 wrote to memory of 2984 4032 SWIFT REFERENCE.exe RegSvcs.exe PID 4032 wrote to memory of 2984 4032 SWIFT REFERENCE.exe RegSvcs.exe PID 4032 wrote to memory of 2984 4032 SWIFT REFERENCE.exe RegSvcs.exe PID 4032 wrote to memory of 2984 4032 SWIFT REFERENCE.exe RegSvcs.exe PID 4032 wrote to memory of 2984 4032 SWIFT REFERENCE.exe RegSvcs.exe PID 4032 wrote to memory of 2984 4032 SWIFT REFERENCE.exe RegSvcs.exe PID 4032 wrote to memory of 2984 4032 SWIFT REFERENCE.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT REFERENCE.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT REFERENCE.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UURCPEflGQbU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp41FA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp41FA.tmpFilesize
1KB
MD54cdc7305235a41300bf23fb76912b24e
SHA1b70d049ef8ab3ebd65efed61c9a87fe4bdb2ae36
SHA25627da3cda5f1a823641c68be71a927697a3abf8c597cd750ab629de5a40211d8e
SHA512ea6975208b97f88c67eda21949fb7747c14e8c03ea1fcf49419f57413f75aadf045801857c82216fdde78e2691a1e2e47dc462cba8d33ef6871e164df2159ade
-
memory/2984-139-0x0000000000000000-mapping.dmp
-
memory/2984-140-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2984-141-0x0000000005F30000-0x0000000005F96000-memory.dmpFilesize
408KB
-
memory/2984-142-0x0000000006250000-0x00000000062A0000-memory.dmpFilesize
320KB
-
memory/4032-132-0x0000000000330000-0x00000000003CA000-memory.dmpFilesize
616KB
-
memory/4032-133-0x0000000005210000-0x00000000057B4000-memory.dmpFilesize
5.6MB
-
memory/4032-134-0x0000000004C60000-0x0000000004CF2000-memory.dmpFilesize
584KB
-
memory/4032-135-0x0000000004DA0000-0x0000000004E3C000-memory.dmpFilesize
624KB
-
memory/4032-136-0x0000000004D80000-0x0000000004D8A000-memory.dmpFilesize
40KB
-
memory/5100-137-0x0000000000000000-mapping.dmp