Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

62ee9633-f...in.exe

windows7_x64

10

62ee9633-f...in.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09/07/2020, 01:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62ee9633-f92c-4000-ae56-370964749626.bin.exe

  • Size

    1.0MB

  • MD5

    34d8364be0227837e9cd6503f426c08e

  • SHA1

    43da38e0840229b6496bff651892531c97458a38

  • SHA256

    f43b32a0a224d190f5ce2f523d8a243c1ec7e0cc16798f2eaf4e4eb22480df43

  • SHA512

    6c5865b55aa377f9eb9f8857e584c6ca7f0b5ef60984fc61789da15aa60a0bd801660790793e2da93b21b964a4f1d930c29a8eee77281cfe64d71f0e2fea3910

Score
10/10
spywarekeyloggertrojanstealeragenttesla

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62ee9633-f92c-4000-ae56-370964749626.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\62ee9633-f92c-4000-ae56-370964749626.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKLSlOlyqjoU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9414.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1436
    • C:\Users\Admin\AppData\Local\Temp\62ee9633-f92c-4000-ae56-370964749626.bin.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:660

Network

    No results found
No results found
  • 10.7.0.255:138
    netbios-dgm
    3.5kB
     16
  • 10.7.0.255:137
    netbios-ns
    768 B
     8
  • 239.255.255.250:1900
    966 B
     6
  • 239.255.255.250:1900

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/660-2-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/660-5-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/660-4-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.