Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

f383aca77e...de.exe

windows7_x64

10

f383aca77e...de.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    81s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    10/05/2022, 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f383aca77ec8694ab609f6c6ee464bde.exe

  • Size

    455KB

  • MD5

    f383aca77ec8694ab609f6c6ee464bde

  • SHA1

    836abb931164edf8ea1ec1437b94eed0fc568049

  • SHA256

    6c13935ce459215baf7b863cf206747125cacca60793e81ca06ee66139eeba79

  • SHA512

    7acba871babb6cba09d1e444387d4d282f65b951b16127145521cd70915995425de6efc72a5f6400c81371734e5a47eaa33ed76ce06586f45fc8df1108af4040

Score
10/10
agentteslaasyncratvenom clientscollectionkeyloggerratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    odin.mk-host.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Hotel2020#

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

194.5.97.88:5050

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f383aca77ec8694ab609f6c6ee464bde.exe
    "C:\Users\Admin\AppData\Local\Temp\f383aca77ec8694ab609f6c6ee464bde.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\QWAS.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\QWAS.exe"'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3512
          • C:\Users\Admin\AppData\Local\Temp\QWAS.exe
            "C:\Users\Admin\AppData\Local\Temp\QWAS.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4644
            • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
              "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
              6⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook profiles
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:1348

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\QWAS.exe
    Filesize

    682KB

    MD5

    0c333ed8bb368bd1f442e429d25468bf

    SHA1

    17caab2afdb4338cea5161abe9b4f1137585afcd

    SHA256

    ad0b97333d1e6ea935fdc6a610f9eeea8fe2f1fcbadcf2c721aa7d1e4149618d

    SHA512

    a5f2e72c3852cca0b19e89e03cf97db21d030ede8743ad102bf4c3f9bde21a8156f24847766a54163064becdceaef2f482c53f940a58c2a5dc2205ab40a3104b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\QWAS.exe
    Filesize

    682KB

    MD5

    0c333ed8bb368bd1f442e429d25468bf

    SHA1

    17caab2afdb4338cea5161abe9b4f1137585afcd

    SHA256

    ad0b97333d1e6ea935fdc6a610f9eeea8fe2f1fcbadcf2c721aa7d1e4149618d

    SHA512

    a5f2e72c3852cca0b19e89e03cf97db21d030ede8743ad102bf4c3f9bde21a8156f24847766a54163064becdceaef2f482c53f940a58c2a5dc2205ab40a3104b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit

  • memory/1348-157-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1348-160-0x0000000006760000-0x00000000067B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1612-135-0x000000000D450000-0x000000000D472000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1612-130-0x00000000000D0000-0x0000000000146000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1612-134-0x0000000005A90000-0x0000000005A9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1612-133-0x0000000004C30000-0x0000000004CCC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1612-132-0x0000000004AF0000-0x0000000004B82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1612-131-0x0000000004FE0000-0x0000000005584000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3008-140-0x0000000005B80000-0x0000000005BE6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3008-141-0x0000000006AF0000-0x0000000006B66000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3008-142-0x0000000006B90000-0x0000000006BAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3008-137-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3512-151-0x0000000006780000-0x00000000067A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3512-150-0x0000000006730000-0x000000000674A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3512-149-0x0000000007220000-0x00000000072B6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3512-148-0x0000000006260000-0x000000000627E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3512-147-0x00000000054F0000-0x0000000005556000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3512-146-0x0000000005800000-0x0000000005E28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3512-145-0x00000000028D0000-0x0000000002906000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4644-155-0x0000000000590000-0x0000000000640000-memory.dmp

    Filesize

    704KB

    Download