Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
70s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/09/2022, 09:00
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe
-
Size
105KB
-
MD5
ac4b11253fd63a6f272bf10dabdbfb01
-
SHA1
1892479a8d6b58642f57514b6bbd29ab4f7e5e62
-
SHA256
7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20
-
SHA512
34b90fb700e609065b1e0ecf8eaa3fa5f33ed470e8dd58b03874de808bbae304e52ac5c0f81c93e9ec798dcf6009cc76433899743fef8ea4db1fdb0fb9f60511
-
SSDEEP
3072:Us+LplNxNXz3lxRXJWfH1lzsf+BaMPEGNXA8rD:UsKxNX1AP14xA7NXjv
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.overviewsupplies.com/ - Port:
21 - Username:
[email protected] - Password:
w[3c2r?B,Of+
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe -
Loads dropped DLL 1 IoCs
pid Process 1848 SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1436 caspol.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1848 SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe 1436 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1848 set thread context of 1436 1848 SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1848 SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1848 wrote to memory of 1436 1848 SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe 28 PID 1848 wrote to memory of 1436 1848 SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe 28 PID 1848 wrote to memory of 1436 1848 SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe 28 PID 1848 wrote to memory of 1436 1848 SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe 28 PID 1848 wrote to memory of 1436 1848 SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe 28 PID 1436 wrote to memory of 1780 1436 caspol.exe 32 PID 1436 wrote to memory of 1780 1436 caspol.exe 32 PID 1436 wrote to memory of 1780 1436 caspol.exe 32 PID 1436 wrote to memory of 1780 1436 caspol.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 15843⤵PID:1780
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390