Analysis
-
max time kernel
65s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2023 10:51
Static task
static1
Behavioral task
behavioral1
Sample
TT SWIFT COPY $37,000.00.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TT SWIFT COPY $37,000.00.exe
Resource
win10v2004-20230220-en
General
-
Target
TT SWIFT COPY $37,000.00.exe
-
Size
725KB
-
MD5
627d531f2361508ce6d650dfb74f50b7
-
SHA1
74cdf31cf47ce5898fc6391bfdd1b8801bc2813f
-
SHA256
fa1cb59a2e33d1b2256194f4741afc762ef819cf058614afd490f56e5e92bcd5
-
SHA512
e13dc5bdf4e48cabdfe165fdad52c686d64d583e91d7251ea0b70d0437dd13be7fbbc56e5d81ae1647a6a04ff47a3c8aa84076ba5a049e907fa0dd02afa51066
-
SSDEEP
12288:nUuXMbBzUnxUn7bNVVebMyywV42hhmihgMDdvqv96q6GmdEk9z:fXMbynWnlwVHh1hbdvq16qSmu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
[email protected] - Password:
Sksmoke2018# - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
TT SWIFT COPY $37,000.00.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TT SWIFT COPY $37,000.00.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TT SWIFT COPY $37,000.00.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TT SWIFT COPY $37,000.00.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TT SWIFT COPY $37,000.00.exedescription pid process target process PID 1308 set thread context of 576 1308 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TT SWIFT COPY $37,000.00.exeTT SWIFT COPY $37,000.00.exedescription pid process Token: SeDebugPrivilege 1308 TT SWIFT COPY $37,000.00.exe Token: SeDebugPrivilege 576 TT SWIFT COPY $37,000.00.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TT SWIFT COPY $37,000.00.exepid process 576 TT SWIFT COPY $37,000.00.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
TT SWIFT COPY $37,000.00.exedescription pid process target process PID 1308 wrote to memory of 1472 1308 TT SWIFT COPY $37,000.00.exe schtasks.exe PID 1308 wrote to memory of 1472 1308 TT SWIFT COPY $37,000.00.exe schtasks.exe PID 1308 wrote to memory of 1472 1308 TT SWIFT COPY $37,000.00.exe schtasks.exe PID 1308 wrote to memory of 1472 1308 TT SWIFT COPY $37,000.00.exe schtasks.exe PID 1308 wrote to memory of 576 1308 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1308 wrote to memory of 576 1308 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1308 wrote to memory of 576 1308 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1308 wrote to memory of 576 1308 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1308 wrote to memory of 576 1308 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1308 wrote to memory of 576 1308 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1308 wrote to memory of 576 1308 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1308 wrote to memory of 576 1308 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1308 wrote to memory of 576 1308 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe -
outlook_office_path 1 IoCs
Processes:
TT SWIFT COPY $37,000.00.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TT SWIFT COPY $37,000.00.exe -
outlook_win_path 1 IoCs
Processes:
TT SWIFT COPY $37,000.00.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TT SWIFT COPY $37,000.00.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT SWIFT COPY $37,000.00.exe"C:\Users\Admin\AppData\Local\Temp\TT SWIFT COPY $37,000.00.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IkhnidnnYYPv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F93.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TT SWIFT COPY $37,000.00.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8F93.tmpFilesize
1KB
MD589c003845ac0490d7c7a1d7380c838d7
SHA119a1c461a782e0837e59005e657eaf112dc503e6
SHA256f81c25154569126fa7832cf6895fcec6fe0d9d4b44425d3c2a14b5436d05165c
SHA512d2369575250e3c4cd0a7c81d2231e582f2cadf9a3848e8ae86ff3c9d3dcab29b51fd2d3f33db7699853cf760254027e727388dab20ec4cfdf933c82ab50d27fd
-
memory/576-68-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/576-63-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/576-74-0x0000000004EE0000-0x0000000004F20000-memory.dmpFilesize
256KB
-
memory/576-73-0x0000000004EE0000-0x0000000004F20000-memory.dmpFilesize
256KB
-
memory/576-65-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/576-72-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/576-70-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/576-64-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/576-66-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/576-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1308-59-0x0000000004C80000-0x0000000004CB0000-memory.dmpFilesize
192KB
-
memory/1308-54-0x00000000010F0000-0x00000000011AA000-memory.dmpFilesize
744KB
-
memory/1308-56-0x0000000000450000-0x000000000045C000-memory.dmpFilesize
48KB
-
memory/1308-55-0x0000000000640000-0x0000000000680000-memory.dmpFilesize
256KB
-
memory/1308-58-0x0000000005CA0000-0x0000000005D1E000-memory.dmpFilesize
504KB
-
memory/1308-57-0x0000000000640000-0x0000000000680000-memory.dmpFilesize
256KB