Analysis
-
max time kernel
143s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 11:41
Static task
static1
Behavioral task
behavioral1
Sample
Swiftcopy.exe.bin.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Swiftcopy.exe.bin.exe
Resource
win10v2004-20240508-en
General
-
Target
Swiftcopy.exe.bin.exe
-
Size
700KB
-
MD5
a3f691b8cbca9531cb2e2711e0f2a166
-
SHA1
3f8369e5be5fa86d52afb5dbe538bddc0060ab90
-
SHA256
e8fe4366c2f5dec094103ca8abbf55bf6d2bfd50fa9e6441111678a0f0e8c432
-
SHA512
d0394294e50b28950a96cf1b061d19f5621eb402d20bf16aee212697af210a0befb05d8c7b7ec93e38000cfecbd076829662fe1d5ead075776d9f69ea075e84c
-
SSDEEP
12288:hdrLbDZaNRpTTqcoXw8w4r9a4klENmi/Z1VQ62FcjD/fyww6Ht7NalxIJetRy3f:7LDZMRpTX9hv4kNeV7vxN7NajMv3f
Malware Config
Extracted
Protocol: smtp- Host:
mail.bonnyriggdentalsurgery.com.au - Port:
587 - Username:
[email protected] - Password:
Sages101*
Extracted
agenttesla
Protocol: smtp- Host:
mail.bonnyriggdentalsurgery.com.au - Port:
587 - Username:
[email protected] - Password:
Sages101* - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1780 powershell.exe 1028 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Swiftcopy.exe.bin.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avdfUcC = "C:\\Users\\Admin\\AppData\\Roaming\\avdfUcC\\avdfUcC.exe" Swiftcopy.exe.bin.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4276 set thread context of 1864 4276 Swiftcopy.exe.bin.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4276 Swiftcopy.exe.bin.exe 4276 Swiftcopy.exe.bin.exe 4276 Swiftcopy.exe.bin.exe 4276 Swiftcopy.exe.bin.exe 1028 powershell.exe 1028 powershell.exe 1780 powershell.exe 1780 powershell.exe 4276 Swiftcopy.exe.bin.exe 1864 Swiftcopy.exe.bin.exe 1864 Swiftcopy.exe.bin.exe 1864 Swiftcopy.exe.bin.exe 1028 powershell.exe 1780 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4276 Swiftcopy.exe.bin.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1864 Swiftcopy.exe.bin.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4276 wrote to memory of 1780 4276 Swiftcopy.exe.bin.exe 106 PID 4276 wrote to memory of 1780 4276 Swiftcopy.exe.bin.exe 106 PID 4276 wrote to memory of 1780 4276 Swiftcopy.exe.bin.exe 106 PID 4276 wrote to memory of 1028 4276 Swiftcopy.exe.bin.exe 108 PID 4276 wrote to memory of 1028 4276 Swiftcopy.exe.bin.exe 108 PID 4276 wrote to memory of 1028 4276 Swiftcopy.exe.bin.exe 108 PID 4276 wrote to memory of 2060 4276 Swiftcopy.exe.bin.exe 110 PID 4276 wrote to memory of 2060 4276 Swiftcopy.exe.bin.exe 110 PID 4276 wrote to memory of 2060 4276 Swiftcopy.exe.bin.exe 110 PID 4276 wrote to memory of 1864 4276 Swiftcopy.exe.bin.exe 112 PID 4276 wrote to memory of 1864 4276 Swiftcopy.exe.bin.exe 112 PID 4276 wrote to memory of 1864 4276 Swiftcopy.exe.bin.exe 112 PID 4276 wrote to memory of 1864 4276 Swiftcopy.exe.bin.exe 112 PID 4276 wrote to memory of 1864 4276 Swiftcopy.exe.bin.exe 112 PID 4276 wrote to memory of 1864 4276 Swiftcopy.exe.bin.exe 112 PID 4276 wrote to memory of 1864 4276 Swiftcopy.exe.bin.exe 112 PID 4276 wrote to memory of 1864 4276 Swiftcopy.exe.bin.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swiftcopy.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\Swiftcopy.exe.bin.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swiftcopy.exe.bin.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BThrvPseKTe.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BThrvPseKTe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31E8.tmp"2⤵
- Creates scheduled task(s)
PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\Swiftcopy.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\Swiftcopy.exe.bin.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:81⤵PID:4956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
64B
MD5da639120041ac481a454b6f96f3426bf
SHA12dc6f2931bff596440fe3007016a434cec30b353
SHA256ce82ab3ee6cb962de1f547e26932e0e9f51f00133cff57e069a79bdb2330ea19
SHA5127e535d9eb93f4bae2af719c112910384e31936bd81d72fbead526f57527dc43e04b474bc69e71a6583644ef9f75732f614e3cf1894d019a95432dccc4d4da4a9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD58cbff8c958646bdadf3040d02f00c9c2
SHA1f71fa4638d370e652bad6dbc26cb1775a2c45041
SHA25680172e0317a96c3fd8ba6780c2a7c37e06219f9b91d6375620bb8c5c0b279a1f
SHA512432c557901965c2e32b05c0c368abf1c14886cf3d3193ad42ce7c9b8dc636751107ca356b612e0bed33c4d5a08dd710490aea87fc9b45aa121dd965c9759e8e6