Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/09/2022, 10:39
Static task
static1
Behavioral task
behavioral1
Sample
Dekont.PDF.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Dekont.PDF.exe
Resource
win10v2004-20220812-en
General
-
Target
Dekont.PDF.exe
-
Size
1.6MB
-
MD5
76ba6964a46301e0b22a182eb1796af4
-
SHA1
365a5c45aedadd22ad59948fcf602d814462b7a0
-
SHA256
47646f3f8c7c4ddd4b3c216bf6c52980abe65a44fa54113d5f16d90cedd99fdd
-
SHA512
ba56f078f1a2d38bf05466884cc715ec12ad4d8ed637fe9184cb4db3ec8e6eadfac1127c16b1955545f4a4fc12ad9b2c8a107c813adcf83e3f72c075309fa53f
-
SSDEEP
24576:gAOcZXQO+cyQF5zO8Y78i4RBayBkvDr/DwpN6k77rvyOMhoihMhi9+zOgQVUWTA:+o8S9GyyvPDwpN6kDbUsi9LPTA
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579
Extracted
agenttesla
https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 3 IoCs
pid Process 1612 DL NETIVE BOTNET LOGS.exe 972 pusgniqwdg.pif 1588 RegSvcs.exe -
Loads dropped DLL 10 IoCs
pid Process 1672 Dekont.PDF.exe 1672 Dekont.PDF.exe 1672 Dekont.PDF.exe 1672 Dekont.PDF.exe 1672 Dekont.PDF.exe 1672 Dekont.PDF.exe 1672 Dekont.PDF.exe 1672 Dekont.PDF.exe 1672 Dekont.PDF.exe 972 pusgniqwdg.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run pusgniqwdg.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\1_94\\PUSGNI~1.PIF c:\\1_94\\xbpe.hvn" pusgniqwdg.pif -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1612 set thread context of 1552 1612 DL NETIVE BOTNET LOGS.exe 29 PID 972 set thread context of 1588 972 pusgniqwdg.pif 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1588 RegSvcs.exe 1588 RegSvcs.exe 1588 RegSvcs.exe 1588 RegSvcs.exe 1588 RegSvcs.exe 1588 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1588 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1612 DL NETIVE BOTNET LOGS.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1612 1672 Dekont.PDF.exe 27 PID 1672 wrote to memory of 1612 1672 Dekont.PDF.exe 27 PID 1672 wrote to memory of 1612 1672 Dekont.PDF.exe 27 PID 1672 wrote to memory of 1612 1672 Dekont.PDF.exe 27 PID 1672 wrote to memory of 972 1672 Dekont.PDF.exe 28 PID 1672 wrote to memory of 972 1672 Dekont.PDF.exe 28 PID 1672 wrote to memory of 972 1672 Dekont.PDF.exe 28 PID 1672 wrote to memory of 972 1672 Dekont.PDF.exe 28 PID 1672 wrote to memory of 972 1672 Dekont.PDF.exe 28 PID 1672 wrote to memory of 972 1672 Dekont.PDF.exe 28 PID 1672 wrote to memory of 972 1672 Dekont.PDF.exe 28 PID 1612 wrote to memory of 1552 1612 DL NETIVE BOTNET LOGS.exe 29 PID 1612 wrote to memory of 1552 1612 DL NETIVE BOTNET LOGS.exe 29 PID 1612 wrote to memory of 1552 1612 DL NETIVE BOTNET LOGS.exe 29 PID 1612 wrote to memory of 1552 1612 DL NETIVE BOTNET LOGS.exe 29 PID 1612 wrote to memory of 1552 1612 DL NETIVE BOTNET LOGS.exe 29 PID 1612 wrote to memory of 1552 1612 DL NETIVE BOTNET LOGS.exe 29 PID 1612 wrote to memory of 1552 1612 DL NETIVE BOTNET LOGS.exe 29 PID 1612 wrote to memory of 1552 1612 DL NETIVE BOTNET LOGS.exe 29 PID 1612 wrote to memory of 1552 1612 DL NETIVE BOTNET LOGS.exe 29 PID 972 wrote to memory of 1588 972 pusgniqwdg.pif 30 PID 972 wrote to memory of 1588 972 pusgniqwdg.pif 30 PID 972 wrote to memory of 1588 972 pusgniqwdg.pif 30 PID 972 wrote to memory of 1588 972 pusgniqwdg.pif 30 PID 972 wrote to memory of 1588 972 pusgniqwdg.pif 30 PID 972 wrote to memory of 1588 972 pusgniqwdg.pif 30 PID 972 wrote to memory of 1588 972 pusgniqwdg.pif 30 PID 972 wrote to memory of 1588 972 pusgniqwdg.pif 30 PID 972 wrote to memory of 1588 972 pusgniqwdg.pif 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\1_94\DL NETIVE BOTNET LOGS.exe"C:\1_94\DL NETIVE BOTNET LOGS.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
PID:1552
-
-
-
C:\1_94\pusgniqwdg.pif"C:\1_94\pusgniqwdg.pif" xbpe.hvn2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1588
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
419KB
MD59e24af62c8fd951dc8c9ebf8082e56c2
SHA14c56b3059055b4e8741611e1b55e32fd5d55fe32
SHA25674d6840ebabc919b6399358bbce8507f2da165d12f95bb144ef73f0b0ebb3936
SHA512433152ff88dcdeb7a23606702ea61c26ce75902bb9d6f631e8e589145c3483ac408ac88ba7b9ae3443084389107bf6622ad532e78abec8e120f3fc0a21a8b2fe
-
Filesize
820KB
MD50c996fa7285452f1302d8c781bd72972
SHA193b2a1bce155afec134804b3a2ef6b40ac0a4178
SHA256470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f
SHA512e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e
-
Filesize
59KB
MD5c739ed663921f7c2cd1e806f46b32d92
SHA1ae5b9711392c0972add32635c60da5b1a807074f
SHA2568822b0a84853c52e7595a26c1827adf0c659065bc93fc81a97791014a8770218
SHA512e167b4a07e585ee5b1fb45ee68a002618f0cc7f8415875a4b4121c113369a0b786665d02ee615237b5867c311e646e13131f281b519d76ead236d80b8781d6e1
-
Filesize
218.9MB
MD59162c8e0ae1fad9e706248b904a9e1cd
SHA1b7b90b6e3e422c3b0e008878e9609408839cc578
SHA2563739cf8b42b0295579592aa2cfbdfa138f387803e198d9c68967bd0fef694c1e
SHA51291ddbf165ba945072c790af134b8e128ef317dc3e7c0174eb8faae43da68138dbbbf02da97b034df2ae91a2aa38aae5fccd636942a63d84ffded26a9e3b5679d
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
820KB
MD50c996fa7285452f1302d8c781bd72972
SHA193b2a1bce155afec134804b3a2ef6b40ac0a4178
SHA256470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f
SHA512e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e
-
Filesize
820KB
MD50c996fa7285452f1302d8c781bd72972
SHA193b2a1bce155afec134804b3a2ef6b40ac0a4178
SHA256470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f
SHA512e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e
-
Filesize
820KB
MD50c996fa7285452f1302d8c781bd72972
SHA193b2a1bce155afec134804b3a2ef6b40ac0a4178
SHA256470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f
SHA512e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e
-
Filesize
820KB
MD50c996fa7285452f1302d8c781bd72972
SHA193b2a1bce155afec134804b3a2ef6b40ac0a4178
SHA256470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f
SHA512e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215