Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
70s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16/10/2022, 11:23
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
INVOICE.exe
Resource
win10v2004-20220812-en
General
-
Target
INVOICE.exe
-
Size
924KB
-
MD5
ef6a8631e2ef9254a647106872815787
-
SHA1
9149ed25102187a42bf8668a1b0426e1be63bc4a
-
SHA256
6f9a61bb7b17a4cb23733695d0c74ed1dff8d0645c2ee68f74b2cd6716baacd6
-
SHA512
90dad9ee231a1b6fb9d057677a76f2aebb36c5cb3224634eec88826524423cb9cc5c1bd2dc5e7792cd9de0458999306799e201166c076854a60de62fbb3fbef8
-
SSDEEP
12288:BiDg/A7YM21pisudT+i6Z0r7azvNvLBEet1imkRPuZb3TZj4ooHApUfrwY4p:Blppz67cvNFEU1imIq3ljfUfrwY4p
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\KFWOdr = "C:\\Users\\Admin\\AppData\\Roaming\\KFWOdr\\KFWOdr.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1824 set thread context of 976 1824 INVOICE.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1972 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1824 INVOICE.exe 976 RegSvcs.exe 976 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1824 INVOICE.exe Token: SeDebugPrivilege 976 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1824 wrote to memory of 1972 1824 INVOICE.exe 27 PID 1824 wrote to memory of 1972 1824 INVOICE.exe 27 PID 1824 wrote to memory of 1972 1824 INVOICE.exe 27 PID 1824 wrote to memory of 1972 1824 INVOICE.exe 27 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 PID 1824 wrote to memory of 976 1824 INVOICE.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PiuhWRUjFj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp84E9.tmp"2⤵
- Creates scheduled task(s)
PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:976
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD525953af73000c4d4909fe966ddc25013
SHA12c9eba488a442403f50461bf3b276734fed8f95f
SHA2567de35cddbd227baaa40718c024893b7b89353987472b3f19745d8b368a2eead9
SHA512e022fee09e134568fb6f9a0a8f27bdc9043ca5675fb5d82b4a51af0a7cfdc675dbb61e495d108fe39995b3a3a2e8ff4af7c00add404b321c51549fd4f938bfb0