Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 07:18
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
SWIFT COPY.exe
Resource
win10v2004-20231127-en
General
-
Target
SWIFT COPY.exe
-
Size
1.0MB
-
MD5
d7a5e6cf0c7f0937d74f25ad55b89bfa
-
SHA1
a9eaeb41ac609c8720e0f5c5e9d7c43fd9388876
-
SHA256
94e790b64206a78f0a30e4fe686559010744a1596679e7daeb8c3325ff346bbe
-
SHA512
e32e76af4af359654b365f7ede6896924e5d6dc77f73f3376d8238043d6031ec63425dddc0898471a2d36ca947c302c784f4fd1c50e3cd6a660ec71a8d467a63
-
SSDEEP
24576:ZG6s3KSpszXe/e88e+wYm9I4uKe/lEpY:QV3KrXWvCwYqf
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
premium184.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
^HPUm$4%eL~b - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT COPY.exedescription pid process target process PID 2092 set thread context of 2520 2092 SWIFT COPY.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SWIFT COPY.exepowershell.exepowershell.exeMSBuild.exepid process 2092 SWIFT COPY.exe 2092 SWIFT COPY.exe 2092 SWIFT COPY.exe 2092 SWIFT COPY.exe 2092 SWIFT COPY.exe 2712 powershell.exe 2576 powershell.exe 2092 SWIFT COPY.exe 2520 MSBuild.exe 2520 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SWIFT COPY.exepowershell.exepowershell.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 2092 SWIFT COPY.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2520 MSBuild.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SWIFT COPY.exedescription pid process target process PID 2092 wrote to memory of 2576 2092 SWIFT COPY.exe powershell.exe PID 2092 wrote to memory of 2576 2092 SWIFT COPY.exe powershell.exe PID 2092 wrote to memory of 2576 2092 SWIFT COPY.exe powershell.exe PID 2092 wrote to memory of 2576 2092 SWIFT COPY.exe powershell.exe PID 2092 wrote to memory of 2712 2092 SWIFT COPY.exe powershell.exe PID 2092 wrote to memory of 2712 2092 SWIFT COPY.exe powershell.exe PID 2092 wrote to memory of 2712 2092 SWIFT COPY.exe powershell.exe PID 2092 wrote to memory of 2712 2092 SWIFT COPY.exe powershell.exe PID 2092 wrote to memory of 2744 2092 SWIFT COPY.exe schtasks.exe PID 2092 wrote to memory of 2744 2092 SWIFT COPY.exe schtasks.exe PID 2092 wrote to memory of 2744 2092 SWIFT COPY.exe schtasks.exe PID 2092 wrote to memory of 2744 2092 SWIFT COPY.exe schtasks.exe PID 2092 wrote to memory of 2520 2092 SWIFT COPY.exe MSBuild.exe PID 2092 wrote to memory of 2520 2092 SWIFT COPY.exe MSBuild.exe PID 2092 wrote to memory of 2520 2092 SWIFT COPY.exe MSBuild.exe PID 2092 wrote to memory of 2520 2092 SWIFT COPY.exe MSBuild.exe PID 2092 wrote to memory of 2520 2092 SWIFT COPY.exe MSBuild.exe PID 2092 wrote to memory of 2520 2092 SWIFT COPY.exe MSBuild.exe PID 2092 wrote to memory of 2520 2092 SWIFT COPY.exe MSBuild.exe PID 2092 wrote to memory of 2520 2092 SWIFT COPY.exe MSBuild.exe PID 2092 wrote to memory of 2520 2092 SWIFT COPY.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BOanEr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BOanEr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E81.tmp"2⤵
- Creates scheduled task(s)
PID:2744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58bd9e1af87934387d002d60f510c0458
SHA1c3780e213d5c054595c732a2e88553133d3e0be5
SHA2568cbfa861562ac3b607d2347a7c3b4f6462f2bc528159c49297b4622f7c5653aa
SHA5129223b057ed696ef4cea4e97c5cefddda8d72455d9a7e6b212a2ff16c3b6f235aa0d9653f471fcb1b89d9b487f6e0978b46d4f084b2c478431e9c6413b0e20def
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LJG0DM3FXGTOGYDHP772.temp
Filesize7KB
MD50a79f8b5aeccfd83302a0efae2717016
SHA14d5e4266f227b697ac7f531755459479c18ff6a2
SHA256006f35ca227ee57f54e0c66398ee8da2bf52d3fc8220d7f534496a6156a9dfec
SHA5124d5406bd51baf329f7e1e2dbfabc54405c08c3e1715dc95f06816dd986fdf88617218ca26cb0feedc55f2a70bec9d8c8ecc3f9c270de17041648521367ec026b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50a79f8b5aeccfd83302a0efae2717016
SHA14d5e4266f227b697ac7f531755459479c18ff6a2
SHA256006f35ca227ee57f54e0c66398ee8da2bf52d3fc8220d7f534496a6156a9dfec
SHA5124d5406bd51baf329f7e1e2dbfabc54405c08c3e1715dc95f06816dd986fdf88617218ca26cb0feedc55f2a70bec9d8c8ecc3f9c270de17041648521367ec026b