Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
10/07/2020, 07:02
Static task
static1
Behavioral task
behavioral1
Sample
2020quotation.exe
Resource
win7
Behavioral task
behavioral2
Sample
2020quotation.exe
Resource
win10v200430
General
-
Target
2020quotation.exe
-
Size
571KB
-
MD5
d7e71fd11bcd87a59da8b00143883adb
-
SHA1
6b7f4c2f64c01e2bd10a0c0a9cee0f54d4bb7755
-
SHA256
3ce9849a8dac1e1dbc85706d28667072289247e2ecd262134b9e014a939d6310
-
SHA512
57738549c3fb4485381d04c973ccc630a645c6806a8a79a9021b6f5392aa77654bef04af5466a75bdbdef87db549f049f18caf5894315afe11767be1dd40bd18
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
mmm777
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/1784-4-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral1/memory/1784-5-0x00000000004482AE-mapping.dmp family_agenttesla behavioral1/memory/1784-6-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral1/memory/1784-7-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 2020quotation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1152 set thread context of 1784 1152 2020quotation.exe 26 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1296 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1784 2020quotation.exe 1784 2020quotation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1784 2020quotation.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1784 2020quotation.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1152 wrote to memory of 1296 1152 2020quotation.exe 24 PID 1152 wrote to memory of 1296 1152 2020quotation.exe 24 PID 1152 wrote to memory of 1296 1152 2020quotation.exe 24 PID 1152 wrote to memory of 1296 1152 2020quotation.exe 24 PID 1152 wrote to memory of 1784 1152 2020quotation.exe 26 PID 1152 wrote to memory of 1784 1152 2020quotation.exe 26 PID 1152 wrote to memory of 1784 1152 2020quotation.exe 26 PID 1152 wrote to memory of 1784 1152 2020quotation.exe 26 PID 1152 wrote to memory of 1784 1152 2020quotation.exe 26 PID 1152 wrote to memory of 1784 1152 2020quotation.exe 26 PID 1152 wrote to memory of 1784 1152 2020quotation.exe 26 PID 1152 wrote to memory of 1784 1152 2020quotation.exe 26 PID 1152 wrote to memory of 1784 1152 2020quotation.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\2020quotation.exe"C:\Users\Admin\AppData\Local\Temp\2020quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rzKmbZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87F3.tmp"2⤵
- Creates scheduled task(s)
PID:1296
-
-
C:\Users\Admin\AppData\Local\Temp\2020quotation.exe"{path}"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1784
-