Analysis
-
max time kernel
51s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2023 10:52
Static task
static1
Behavioral task
behavioral1
Sample
TT SWIFT COPY $37,000.00.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TT SWIFT COPY $37,000.00.exe
Resource
win10v2004-20230220-en
General
-
Target
TT SWIFT COPY $37,000.00.exe
-
Size
725KB
-
MD5
627d531f2361508ce6d650dfb74f50b7
-
SHA1
74cdf31cf47ce5898fc6391bfdd1b8801bc2813f
-
SHA256
fa1cb59a2e33d1b2256194f4741afc762ef819cf058614afd490f56e5e92bcd5
-
SHA512
e13dc5bdf4e48cabdfe165fdad52c686d64d583e91d7251ea0b70d0437dd13be7fbbc56e5d81ae1647a6a04ff47a3c8aa84076ba5a049e907fa0dd02afa51066
-
SSDEEP
12288:nUuXMbBzUnxUn7bNVVebMyywV42hhmihgMDdvqv96q6GmdEk9z:fXMbynWnlwVHh1hbdvq16qSmu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
TT SWIFT COPY $37,000.00.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TT SWIFT COPY $37,000.00.exe Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TT SWIFT COPY $37,000.00.exe Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TT SWIFT COPY $37,000.00.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TT SWIFT COPY $37,000.00.exedescription pid process target process PID 1480 set thread context of 552 1480 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
TT SWIFT COPY $37,000.00.exepid process 1480 TT SWIFT COPY $37,000.00.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TT SWIFT COPY $37,000.00.exeTT SWIFT COPY $37,000.00.exedescription pid process Token: SeDebugPrivilege 1480 TT SWIFT COPY $37,000.00.exe Token: SeDebugPrivilege 552 TT SWIFT COPY $37,000.00.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TT SWIFT COPY $37,000.00.exepid process 552 TT SWIFT COPY $37,000.00.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
TT SWIFT COPY $37,000.00.exedescription pid process target process PID 1480 wrote to memory of 684 1480 TT SWIFT COPY $37,000.00.exe schtasks.exe PID 1480 wrote to memory of 684 1480 TT SWIFT COPY $37,000.00.exe schtasks.exe PID 1480 wrote to memory of 684 1480 TT SWIFT COPY $37,000.00.exe schtasks.exe PID 1480 wrote to memory of 684 1480 TT SWIFT COPY $37,000.00.exe schtasks.exe PID 1480 wrote to memory of 552 1480 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1480 wrote to memory of 552 1480 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1480 wrote to memory of 552 1480 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1480 wrote to memory of 552 1480 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1480 wrote to memory of 552 1480 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1480 wrote to memory of 552 1480 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1480 wrote to memory of 552 1480 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1480 wrote to memory of 552 1480 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe PID 1480 wrote to memory of 552 1480 TT SWIFT COPY $37,000.00.exe TT SWIFT COPY $37,000.00.exe -
outlook_office_path 1 IoCs
Processes:
TT SWIFT COPY $37,000.00.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TT SWIFT COPY $37,000.00.exe -
outlook_win_path 1 IoCs
Processes:
TT SWIFT COPY $37,000.00.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TT SWIFT COPY $37,000.00.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT SWIFT COPY $37,000.00.exe"C:\Users\Admin\AppData\Local\Temp\TT SWIFT COPY $37,000.00.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IkhnidnnYYPv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAE0C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TT SWIFT COPY $37,000.00.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAE0C.tmpFilesize
1KB
MD5625f6cefe7afa22da4e41b36c3e4a88b
SHA17b7cd9c796e4984f701ff7871ff4bfb570c8713e
SHA2568601d0b6607cd5c7bef8f025d083ff2ac035fc4f70fc0b235263c08d73bb8c59
SHA512e987d7d3fa473b5e9831430c9faeb106ff1cbef81ef7a52cda06c7a9c76e97a2a30f5da16fb2b9ee2a3b469fdb3b94027ed85587915c1db1d1dedd101517319b
-
memory/552-68-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/552-63-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/552-91-0x00000000048B0000-0x00000000048F0000-memory.dmpFilesize
256KB
-
memory/552-73-0x00000000048B0000-0x00000000048F0000-memory.dmpFilesize
256KB
-
memory/552-65-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/552-72-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/552-70-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/552-64-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/552-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/552-66-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1480-59-0x0000000005000000-0x0000000005030000-memory.dmpFilesize
192KB
-
memory/1480-54-0x0000000000DB0000-0x0000000000E6A000-memory.dmpFilesize
744KB
-
memory/1480-56-0x0000000000340000-0x000000000034C000-memory.dmpFilesize
48KB
-
memory/1480-55-0x00000000042C0000-0x0000000004300000-memory.dmpFilesize
256KB
-
memory/1480-58-0x0000000005BF0000-0x0000000005C6E000-memory.dmpFilesize
504KB
-
memory/1480-57-0x00000000042C0000-0x0000000004300000-memory.dmpFilesize
256KB