Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
23/09/2023, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT.pdf.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SWIFT.pdf.exe
Resource
win10v2004-20230915-en
General
-
Target
SWIFT.pdf.exe
-
Size
538KB
-
MD5
4b16c4589ce3211b6f45051b5fb422b0
-
SHA1
2b60d36184571a1bc35c335ab8941c2bdc7f02b2
-
SHA256
ac04f04d01ae5428a8017be37d7d1352ad3212852c259d1a0e2f775969ecc36c
-
SHA512
38796bb1952559726ed4f47344962fa8dd7b051b12266f9dbfc149b5262f99f24803416ef7986577021b96bc118b39d05c95be9830b1f29ffb23c33c751b5526
-
SSDEEP
6144:Jf4NOk8oV/BR1z/8XIppg4P/l27t9mrvlRlOYADKgt5Q1OW4kXQAN2Tr3+oUSWXh:hi+9m7H2RqF4kXQf7WX42Yu26NCc6P
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.expertsconsultgh.co - Port:
587 - Username:
[email protected] - Password:
Oppong.2012 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2412 set thread context of 2216 2412 SWIFT.pdf.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2412 SWIFT.pdf.exe 2412 SWIFT.pdf.exe 2412 SWIFT.pdf.exe 2680 powershell.exe 2668 powershell.exe 2216 RegSvcs.exe 2216 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2412 SWIFT.pdf.exe Token: SeDebugPrivilege 2216 RegSvcs.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2680 2412 SWIFT.pdf.exe 30 PID 2412 wrote to memory of 2680 2412 SWIFT.pdf.exe 30 PID 2412 wrote to memory of 2680 2412 SWIFT.pdf.exe 30 PID 2412 wrote to memory of 2680 2412 SWIFT.pdf.exe 30 PID 2412 wrote to memory of 2668 2412 SWIFT.pdf.exe 32 PID 2412 wrote to memory of 2668 2412 SWIFT.pdf.exe 32 PID 2412 wrote to memory of 2668 2412 SWIFT.pdf.exe 32 PID 2412 wrote to memory of 2668 2412 SWIFT.pdf.exe 32 PID 2412 wrote to memory of 2492 2412 SWIFT.pdf.exe 34 PID 2412 wrote to memory of 2492 2412 SWIFT.pdf.exe 34 PID 2412 wrote to memory of 2492 2412 SWIFT.pdf.exe 34 PID 2412 wrote to memory of 2492 2412 SWIFT.pdf.exe 34 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 PID 2412 wrote to memory of 2216 2412 SWIFT.pdf.exe 36 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT.pdf.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SWIFT.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UOGegcK.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UOGegcK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp56D.tmp"2⤵
- Creates scheduled task(s)
PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c5123042a082ab5d5eb987a9379abcfb
SHA10a2a52d3d83525616fc094ac33b4b640504952f3
SHA2567c5f155cf221c3f76084f367907ee24d5cee0cc134bcb6ddbf2957fb7ea8d1e6
SHA512fd7f3a2445760d2e9244df907f761c042fd48c420f3c797b9e09bcf3dd3bbbcaa6dd10c0c4ab0eb002864bf8224f1a7acdb092db9f4db55f271fa360154d12b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6H752JDJ9BQB46UOWY6T.temp
Filesize7KB
MD500e23732a2cabf39d759d2cb9da077f0
SHA13b30948431f96cc1c894c39d9701b085648f311c
SHA25694d640eb950176f48af8a2aaafb8176a241975b5710399b285c250822f73fa6e
SHA5129c07a8e2ed9029848f7895e5c102ebb2de2ab54cfd94e28778906e3d304743498b9be9fff03724c81f804ea949a1dcbbf4af1b3dedfd2a456b554bcece6cd665
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD500e23732a2cabf39d759d2cb9da077f0
SHA13b30948431f96cc1c894c39d9701b085648f311c
SHA25694d640eb950176f48af8a2aaafb8176a241975b5710399b285c250822f73fa6e
SHA5129c07a8e2ed9029848f7895e5c102ebb2de2ab54cfd94e28778906e3d304743498b9be9fff03724c81f804ea949a1dcbbf4af1b3dedfd2a456b554bcece6cd665