Overview

overview

10

Static

static

3

SWIFT COPY.exe

windows7-x64

10

SWIFT COPY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT COPY.exe

  • Size

    1.0MB

  • MD5

    d7a5e6cf0c7f0937d74f25ad55b89bfa

  • SHA1

    a9eaeb41ac609c8720e0f5c5e9d7c43fd9388876

  • SHA256

    94e790b64206a78f0a30e4fe686559010744a1596679e7daeb8c3325ff346bbe

  • SHA512

    e32e76af4af359654b365f7ede6896924e5d6dc77f73f3376d8238043d6031ec63425dddc0898471a2d36ca947c302c784f4fd1c50e3cd6a660ec71a8d467a63

  • SSDEEP

    24576:ZG6s3KSpszXe/e88e+wYm9I4uKe/lEpY:QV3KrXWvCwYqf

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BOanEr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BOanEr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E81.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2744
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9E81.tmp
    Filesize

    1KB

    MD5

    8bd9e1af87934387d002d60f510c0458

    SHA1

    c3780e213d5c054595c732a2e88553133d3e0be5

    SHA256

    8cbfa861562ac3b607d2347a7c3b4f6462f2bc528159c49297b4622f7c5653aa

    SHA512

    9223b057ed696ef4cea4e97c5cefddda8d72455d9a7e6b212a2ff16c3b6f235aa0d9653f471fcb1b89d9b487f6e0978b46d4f084b2c478431e9c6413b0e20def

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LJG0DM3FXGTOGYDHP772.temp
    Filesize

    7KB

    MD5

    0a79f8b5aeccfd83302a0efae2717016

    SHA1

    4d5e4266f227b697ac7f531755459479c18ff6a2

    SHA256

    006f35ca227ee57f54e0c66398ee8da2bf52d3fc8220d7f534496a6156a9dfec

    SHA512

    4d5406bd51baf329f7e1e2dbfabc54405c08c3e1715dc95f06816dd986fdf88617218ca26cb0feedc55f2a70bec9d8c8ecc3f9c270de17041648521367ec026b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    0a79f8b5aeccfd83302a0efae2717016

    SHA1

    4d5e4266f227b697ac7f531755459479c18ff6a2

    SHA256

    006f35ca227ee57f54e0c66398ee8da2bf52d3fc8220d7f534496a6156a9dfec

    SHA512

    4d5406bd51baf329f7e1e2dbfabc54405c08c3e1715dc95f06816dd986fdf88617218ca26cb0feedc55f2a70bec9d8c8ecc3f9c270de17041648521367ec026b

    Download Submit

  • memory/2092-3-0x0000000000200000-0x0000000000218000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2092-4-0x00000000001E0000-0x00000000001E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2092-5-0x0000000000220000-0x000000000022A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2092-6-0x00000000060D0000-0x000000000614A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2092-7-0x0000000074EA0000-0x000000007558E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2092-8-0x00000000004F0000-0x0000000000530000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2092-0-0x0000000000C60000-0x0000000000D68000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2092-2-0x00000000004F0000-0x0000000000530000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2092-1-0x0000000074EA0000-0x000000007558E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2092-40-0x0000000074EA0000-0x000000007558E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2520-37-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2520-41-0x0000000074EA0000-0x000000007558E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2520-46-0x00000000049D0000-0x0000000004A10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2520-45-0x0000000074EA0000-0x000000007558E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2520-42-0x00000000049D0000-0x0000000004A10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2520-39-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2520-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2520-35-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2520-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2520-31-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2520-32-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2520-33-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2576-26-0x000000006FAB0000-0x000000007005B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2576-23-0x00000000023B0000-0x00000000023F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2576-21-0x000000006FAB0000-0x000000007005B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2576-27-0x00000000023B0000-0x00000000023F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2576-43-0x000000006FAB0000-0x000000007005B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2712-28-0x0000000002670000-0x00000000026B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2712-22-0x000000006FAB0000-0x000000007005B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2712-29-0x0000000002670000-0x00000000026B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2712-44-0x000000006FAB0000-0x000000007005B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2712-25-0x000000006FAB0000-0x000000007005B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2712-24-0x000000006FAB0000-0x000000007005B000-memory.dmp

    Filesize

    5.7MB

    Download