Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 07:18
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
SWIFT COPY.exe
Resource
win10v2004-20231127-en
General
-
Target
SWIFT COPY.exe
-
Size
1.0MB
-
MD5
d7a5e6cf0c7f0937d74f25ad55b89bfa
-
SHA1
a9eaeb41ac609c8720e0f5c5e9d7c43fd9388876
-
SHA256
94e790b64206a78f0a30e4fe686559010744a1596679e7daeb8c3325ff346bbe
-
SHA512
e32e76af4af359654b365f7ede6896924e5d6dc77f73f3376d8238043d6031ec63425dddc0898471a2d36ca947c302c784f4fd1c50e3cd6a660ec71a8d467a63
-
SSDEEP
24576:ZG6s3KSpszXe/e88e+wYm9I4uKe/lEpY:QV3KrXWvCwYqf
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
premium184.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
^HPUm$4%eL~b - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SWIFT COPY.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation SWIFT COPY.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 63 api.ipify.org 64 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT COPY.exedescription pid process target process PID 4896 set thread context of 976 4896 SWIFT COPY.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3828 976 WerFault.exe MSBuild.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
SWIFT COPY.exepowershell.exepowershell.exeMSBuild.exepid process 4896 SWIFT COPY.exe 4896 SWIFT COPY.exe 4896 SWIFT COPY.exe 4896 SWIFT COPY.exe 4896 SWIFT COPY.exe 2904 powershell.exe 2904 powershell.exe 3456 powershell.exe 3456 powershell.exe 4896 SWIFT COPY.exe 4896 SWIFT COPY.exe 4896 SWIFT COPY.exe 4896 SWIFT COPY.exe 4896 SWIFT COPY.exe 976 MSBuild.exe 976 MSBuild.exe 3456 powershell.exe 2904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SWIFT COPY.exepowershell.exepowershell.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4896 SWIFT COPY.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 976 MSBuild.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
SWIFT COPY.exedescription pid process target process PID 4896 wrote to memory of 2904 4896 SWIFT COPY.exe powershell.exe PID 4896 wrote to memory of 2904 4896 SWIFT COPY.exe powershell.exe PID 4896 wrote to memory of 2904 4896 SWIFT COPY.exe powershell.exe PID 4896 wrote to memory of 3456 4896 SWIFT COPY.exe powershell.exe PID 4896 wrote to memory of 3456 4896 SWIFT COPY.exe powershell.exe PID 4896 wrote to memory of 3456 4896 SWIFT COPY.exe powershell.exe PID 4896 wrote to memory of 4732 4896 SWIFT COPY.exe schtasks.exe PID 4896 wrote to memory of 4732 4896 SWIFT COPY.exe schtasks.exe PID 4896 wrote to memory of 4732 4896 SWIFT COPY.exe schtasks.exe PID 4896 wrote to memory of 4024 4896 SWIFT COPY.exe MSBuild.exe PID 4896 wrote to memory of 4024 4896 SWIFT COPY.exe MSBuild.exe PID 4896 wrote to memory of 4024 4896 SWIFT COPY.exe MSBuild.exe PID 4896 wrote to memory of 976 4896 SWIFT COPY.exe MSBuild.exe PID 4896 wrote to memory of 976 4896 SWIFT COPY.exe MSBuild.exe PID 4896 wrote to memory of 976 4896 SWIFT COPY.exe MSBuild.exe PID 4896 wrote to memory of 976 4896 SWIFT COPY.exe MSBuild.exe PID 4896 wrote to memory of 976 4896 SWIFT COPY.exe MSBuild.exe PID 4896 wrote to memory of 976 4896 SWIFT COPY.exe MSBuild.exe PID 4896 wrote to memory of 976 4896 SWIFT COPY.exe MSBuild.exe PID 4896 wrote to memory of 976 4896 SWIFT COPY.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BOanEr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BOanEr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8B3.tmp"2⤵
- Creates scheduled task(s)
PID:4732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:4024
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 19803⤵
- Program crash
PID:3828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 976 -ip 9761⤵PID:3680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5ec03cea8c2c56d8ba9e3b832f76f346b
SHA1b0ca4e99173ba562e0f10e7aeccf4cc7c2d90a1d
SHA256a723cb7e4d05a58ee350df0fb23a3c42b9e28eac685cc7fca02ae7f88f66e618
SHA512114ba42509c335c378777e7f5d7e3087fc2b9ae0110af4f555ece937afd0214a4e8a6020a56c3127c3f9c7af8bde298e454adeef9ea14b02e8195a1a70beb941