Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
97s -
max time network
63s -
platform
windows7_x64 -
resource
win7 -
submitted
14/07/2020, 12:43
Static task
static1
Behavioral task
behavioral1
Sample
Sample pictures.exe
Resource
win7
Behavioral task
behavioral2
Sample
Sample pictures.exe
Resource
win10v200430
General
-
Target
Sample pictures.exe
-
Size
634KB
-
MD5
0580a219f7ced746a00c061bc6e9d9ae
-
SHA1
05a132aee9f9808600fbf1077b70b99b5215c884
-
SHA256
918973702e97922d932c32d86618ebd35116fb2d67a93cafd0f53a5b7b30da29
-
SHA512
11885891a6cf5a67e1fbe6264600c15c8474de28da25e45ca5af12cf80d24871ae0423b610af1183c269b9b5241c3e424b0f69b8bda619d87a767ce5483a5771
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
JEHOVAH8899
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
resource yara_rule behavioral1/memory/748-4-0x0000000000446D5E-mapping.dmp family_agenttesla behavioral1/memory/748-5-0x0000000000080000-0x00000000000CC000-memory.dmp family_agenttesla behavioral1/memory/748-6-0x0000000000080000-0x00000000000CC000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1108 set thread context of 748 1108 Sample pictures.exe 24 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1108 Sample pictures.exe 1108 Sample pictures.exe 1108 Sample pictures.exe 748 Sample pictures.exe 748 Sample pictures.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1108 Sample pictures.exe Token: SeDebugPrivilege 748 Sample pictures.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 748 Sample pictures.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1108 wrote to memory of 748 1108 Sample pictures.exe 24 PID 1108 wrote to memory of 748 1108 Sample pictures.exe 24 PID 1108 wrote to memory of 748 1108 Sample pictures.exe 24 PID 1108 wrote to memory of 748 1108 Sample pictures.exe 24 PID 1108 wrote to memory of 748 1108 Sample pictures.exe 24 PID 1108 wrote to memory of 748 1108 Sample pictures.exe 24 PID 1108 wrote to memory of 748 1108 Sample pictures.exe 24 PID 1108 wrote to memory of 748 1108 Sample pictures.exe 24 PID 1108 wrote to memory of 748 1108 Sample pictures.exe 24
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sample pictures.exe"C:\Users\Admin\AppData\Local\Temp\Sample pictures.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\Sample pictures.exe"C:\Users\Admin\AppData\Local\Temp\Sample pictures.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:748
-