Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
26/11/2022, 01:25
Static task
static1
Behavioral task
behavioral1
Sample
6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe
Resource
win10-20220901-en
General
-
Target
6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe
-
Size
1.1MB
-
MD5
a471e88b1cb62af98534d61c26dd1973
-
SHA1
e9265d4b74ee8b09f60e1ab391691a90d19988ff
-
SHA256
6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158
-
SHA512
0954f6dac7062861892394a8daebe248eb93e2e0e56cb2784287479ca80b113725f21a3fde25e791027f10fc580129dbaa84c7a9f6ff63cefb465d3ff1c49f6f
-
SSDEEP
24576:LAOcZXMungWgkTJgO4KnmdMLFspB6Q7CqF+7f:NrkTmWnmdMLE8Q7m
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
pid Process 2224 htufvjckrp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org 7 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2224 set thread context of 4708 2224 htufvjckrp.exe 68 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings 6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance WScript.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2224 htufvjckrp.exe 2224 htufvjckrp.exe 2224 htufvjckrp.exe 2224 htufvjckrp.exe 4708 RegSvcs.exe 4708 RegSvcs.exe 4708 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4708 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2696 wrote to memory of 1916 2696 6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe 66 PID 2696 wrote to memory of 1916 2696 6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe 66 PID 2696 wrote to memory of 1916 2696 6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe 66 PID 1916 wrote to memory of 2224 1916 WScript.exe 67 PID 1916 wrote to memory of 2224 1916 WScript.exe 67 PID 1916 wrote to memory of 2224 1916 WScript.exe 67 PID 2224 wrote to memory of 4708 2224 htufvjckrp.exe 68 PID 2224 wrote to memory of 4708 2224 htufvjckrp.exe 68 PID 2224 wrote to memory of 4708 2224 htufvjckrp.exe 68 PID 2224 wrote to memory of 4708 2224 htufvjckrp.exe 68 PID 2224 wrote to memory of 4708 2224 htufvjckrp.exe 68 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe"C:\Users\Admin\AppData\Local\Temp\6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_101\qmanokwuqp.vbe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\6_101\htufvjckrp.exe"C:\Users\Admin\AppData\Local\Temp\6_101\htufvjckrp.exe" elfiuvguee.mp33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4708
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
432KB
MD5fbd7d96a2545c74bdc65e04743241591
SHA1fa3293cc1772e325e661dbd5e5f24cd8f67efea5
SHA256a4b6a263649a0e487e8076a6890378597c03c7e57673f41cf3d035e33528314a
SHA512e94f6671542650c84c3b6ef257d0d9bf1f5ec686ca1c03e683b3f0550bc6043499169fc82347b93b990a6baa199afa73b717425762b17e1aae96ebbd04d0feab
-
Filesize
49KB
MD51977c58b96f809d4e3211b5050bdd267
SHA1bbb74338a0cfec6e4d3e99051f3e629c92fb80e5
SHA2568aad2bee320cca9eca5ba06ca2ffd5d3416072734c8c4765f99070fba70b1562
SHA51202bd9c1cfdeea87e9fc5c6c10e38bace2a36f6e2363b0071bdc82853d4851c4e1d7c33a8acb443eeb6b6ead5512f4968c716ddca71240c874d50e7b9757472a8
-
Filesize
87.0MB
MD5b6974732f0c9d3a9162a62e95c53e0d0
SHA1317d6400173f7ef5ce4041d403ade9772ee26e30
SHA2566ba679b57d7303b032907bfbad29c3168555eefbf06e2bf98549500ae15c37ce
SHA512651ee89e19feaf3920edaf45ceeb27e510707f5ebe60a79a2c58233c9cfe77115fe5edad6f252acc6256f6cd2d74f26d3abb98aa8ac84e1d1a6da7df804b251a
-
Filesize
922KB
MD5afd2a35012fed0d02c1bed23c663e961
SHA1803d2ef99125463fc842c0efde0f40a09667a9f4
SHA256d2fad1d9a4792b08eb3f1ac04332473760046bc3212d12a2afef127731d930d5
SHA5121d8262324a7037e0ca41efee51e6f078c845799bddeaf2d88a63e0db4ed709234960fb0f8eadb68d7e06fd96eca3b8502fc7c7cc5b6525e845a15e920ae80192
-
Filesize
922KB
MD5afd2a35012fed0d02c1bed23c663e961
SHA1803d2ef99125463fc842c0efde0f40a09667a9f4
SHA256d2fad1d9a4792b08eb3f1ac04332473760046bc3212d12a2afef127731d930d5
SHA5121d8262324a7037e0ca41efee51e6f078c845799bddeaf2d88a63e0db4ed709234960fb0f8eadb68d7e06fd96eca3b8502fc7c7cc5b6525e845a15e920ae80192
-
Filesize
46KB
MD570fdcdeda0624ad8472efa1d5e4626dc
SHA14c1c56e66fb649e162bee72409ff8cc3ab020d55
SHA2564f57890d435562f02d121df3420a8af22be503fd2d92b562e009bb7374db2872
SHA5125429d7b00360bcf4eae8296a72e57063cdf7f0ff85d186ae5fae32f229474213a4d942692b41ca403fe80b8980acd3546778c2171a7b4c218511f59ceedb6a19