Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
35s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09/07/2020, 07:49
Static task
static1
Behavioral task
behavioral1
Sample
Access Invoice and project copy.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Access Invoice and project copy.exe
Resource
win10
General
-
Target
Access Invoice and project copy.exe
-
Size
534KB
-
MD5
cb54bbaea939b4de45a411a856bd41a4
-
SHA1
8d258de61f13b74d4fd426337c3de4f0794ca372
-
SHA256
997de5ed7182657e00985a8b1e5f91656a8d7ad171c504780c5edbdda5fd5835
-
SHA512
8fef11aea6d6cdff318e719dd3a5e2ebd48f3ca9db21c5bd5690e9f49bbda2d27f889a1955e53b5b276cc57178367acbef48715cb771748f23645e7bf6dac0e8
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.startdrive.com.au - Port:
587 - Username:
[email protected] - Password:
smithsteve222
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/552-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/552-5-0x000000000044767E-mapping.dmp family_agenttesla behavioral1/memory/552-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/552-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Access Invoice and project copy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Access Invoice and project copy.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\newapp = "C:\\Users\\Admin\\AppData\\Roaming\\newapp\\newapp.exe" Access Invoice and project copy.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Access Invoice and project copy.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Access Invoice and project copy.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1016 set thread context of 552 1016 Access Invoice and project copy.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 268 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 552 Access Invoice and project copy.exe 552 Access Invoice and project copy.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 552 Access Invoice and project copy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 552 Access Invoice and project copy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 552 Access Invoice and project copy.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1016 wrote to memory of 268 1016 Access Invoice and project copy.exe 27 PID 1016 wrote to memory of 268 1016 Access Invoice and project copy.exe 27 PID 1016 wrote to memory of 268 1016 Access Invoice and project copy.exe 27 PID 1016 wrote to memory of 268 1016 Access Invoice and project copy.exe 27 PID 1016 wrote to memory of 552 1016 Access Invoice and project copy.exe 29 PID 1016 wrote to memory of 552 1016 Access Invoice and project copy.exe 29 PID 1016 wrote to memory of 552 1016 Access Invoice and project copy.exe 29 PID 1016 wrote to memory of 552 1016 Access Invoice and project copy.exe 29 PID 1016 wrote to memory of 552 1016 Access Invoice and project copy.exe 29 PID 1016 wrote to memory of 552 1016 Access Invoice and project copy.exe 29 PID 1016 wrote to memory of 552 1016 Access Invoice and project copy.exe 29 PID 1016 wrote to memory of 552 1016 Access Invoice and project copy.exe 29 PID 1016 wrote to memory of 552 1016 Access Invoice and project copy.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Access Invoice and project copy.exe"C:\Users\Admin\AppData\Local\Temp\Access Invoice and project copy.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Tshmlnhkcl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AB5.tmp"2⤵
- Creates scheduled task(s)
PID:268
-
-
C:\Users\Admin\AppData\Local\Temp\Access Invoice and project copy.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:552
-