Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2022, 10:39

General

  • Target

    Dekont.PDF.exe

  • Size

    1.6MB

  • MD5

    76ba6964a46301e0b22a182eb1796af4

  • SHA1

    365a5c45aedadd22ad59948fcf602d814462b7a0

  • SHA256

    47646f3f8c7c4ddd4b3c216bf6c52980abe65a44fa54113d5f16d90cedd99fdd

  • SHA512

    ba56f078f1a2d38bf05466884cc715ec12ad4d8ed637fe9184cb4db3ec8e6eadfac1127c16b1955545f4a4fc12ad9b2c8a107c813adcf83e3f72c075309fa53f

  • SSDEEP

    24576:gAOcZXQO+cyQF5zO8Y78i4RBayBkvDr/DwpN6k77rvyOMhoihMhi9+zOgQVUWTA:+o8S9GyyvPDwpN6kDbUsi9LPTA

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\1_94\DL NETIVE BOTNET LOGS.exe
      "C:\1_94\DL NETIVE BOTNET LOGS.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        PID:1552
    • C:\1_94\pusgniqwdg.pif
      "C:\1_94\pusgniqwdg.pif" xbpe.hvn
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1588

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1_94\DL NETIVE BOTNET LOGS.exe

    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

  • C:\1_94\phiv.noq

    Filesize

    419KB

    MD5

    9e24af62c8fd951dc8c9ebf8082e56c2

    SHA1

    4c56b3059055b4e8741611e1b55e32fd5d55fe32

    SHA256

    74d6840ebabc919b6399358bbce8507f2da165d12f95bb144ef73f0b0ebb3936

    SHA512

    433152ff88dcdeb7a23606702ea61c26ce75902bb9d6f631e8e589145c3483ac408ac88ba7b9ae3443084389107bf6622ad532e78abec8e120f3fc0a21a8b2fe

  • C:\1_94\pusgniqwdg.pif

    Filesize

    820KB

    MD5

    0c996fa7285452f1302d8c781bd72972

    SHA1

    93b2a1bce155afec134804b3a2ef6b40ac0a4178

    SHA256

    470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

    SHA512

    e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

  • C:\1_94\vxve.exe

    Filesize

    59KB

    MD5

    c739ed663921f7c2cd1e806f46b32d92

    SHA1

    ae5b9711392c0972add32635c60da5b1a807074f

    SHA256

    8822b0a84853c52e7595a26c1827adf0c659065bc93fc81a97791014a8770218

    SHA512

    e167b4a07e585ee5b1fb45ee68a002618f0cc7f8415875a4b4121c113369a0b786665d02ee615237b5867c311e646e13131f281b519d76ead236d80b8781d6e1

  • C:\1_94\xbpe.hvn

    Filesize

    218.9MB

    MD5

    9162c8e0ae1fad9e706248b904a9e1cd

    SHA1

    b7b90b6e3e422c3b0e008878e9609408839cc578

    SHA256

    3739cf8b42b0295579592aa2cfbdfa138f387803e198d9c68967bd0fef694c1e

    SHA512

    91ddbf165ba945072c790af134b8e128ef317dc3e7c0174eb8faae43da68138dbbbf02da97b034df2ae91a2aa38aae5fccd636942a63d84ffded26a9e3b5679d

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • \1_94\DL NETIVE BOTNET LOGS.exe

    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

  • \1_94\DL NETIVE BOTNET LOGS.exe

    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

  • \1_94\DL NETIVE BOTNET LOGS.exe

    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

  • \1_94\DL NETIVE BOTNET LOGS.exe

    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

  • \1_94\DL NETIVE BOTNET LOGS.exe

    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

  • \1_94\pusgniqwdg.pif

    Filesize

    820KB

    MD5

    0c996fa7285452f1302d8c781bd72972

    SHA1

    93b2a1bce155afec134804b3a2ef6b40ac0a4178

    SHA256

    470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

    SHA512

    e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

  • \1_94\pusgniqwdg.pif

    Filesize

    820KB

    MD5

    0c996fa7285452f1302d8c781bd72972

    SHA1

    93b2a1bce155afec134804b3a2ef6b40ac0a4178

    SHA256

    470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

    SHA512

    e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

  • \1_94\pusgniqwdg.pif

    Filesize

    820KB

    MD5

    0c996fa7285452f1302d8c781bd72972

    SHA1

    93b2a1bce155afec134804b3a2ef6b40ac0a4178

    SHA256

    470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

    SHA512

    e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

  • \1_94\pusgniqwdg.pif

    Filesize

    820KB

    MD5

    0c996fa7285452f1302d8c781bd72972

    SHA1

    93b2a1bce155afec134804b3a2ef6b40ac0a4178

    SHA256

    470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

    SHA512

    e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

  • \Users\Admin\AppData\Local\Temp\RegSvcs.exe

    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • memory/1552-74-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1552-79-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1552-81-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1552-83-0x00000000024F0000-0x00000000025AC000-memory.dmp

    Filesize

    752KB

  • memory/1552-76-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1588-88-0x0000000000430000-0x0000000000A08000-memory.dmp

    Filesize

    5.8MB

  • memory/1588-86-0x0000000000430000-0x0000000000A08000-memory.dmp

    Filesize

    5.8MB

  • memory/1588-92-0x0000000000430000-0x0000000000A08000-memory.dmp

    Filesize

    5.8MB

  • memory/1588-94-0x0000000000430000-0x0000000000A08000-memory.dmp

    Filesize

    5.8MB

  • memory/1588-96-0x0000000000430000-0x000000000046A000-memory.dmp

    Filesize

    232KB

  • memory/1672-54-0x0000000075201000-0x0000000075203000-memory.dmp

    Filesize

    8KB