Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2022, 20:07

General

  • Target

    Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe

  • Size

    1.0MB

  • MD5

    412dc04cd285536555dd04346b3eafdd

  • SHA1

    59e5a35ee4fc632044b418cac26778702b1ccd27

  • SHA256

    0d645b8f0f44784c4f9a2d883a1a1efd6432127988ed94b3881c794c868dcddd

  • SHA512

    afd2348032df1f0c68631aa1f3bb8c1013245508256c7fc94275c48d721fa43f6308544aaf749d5ab718f35f179cd94ea18a3a517cfd25749b3e8838ab166334

  • SSDEEP

    24576:kYWPB86eyZ6qTh5o6m9nffXgHEiTznmb1g3R3XR86:k326J6WLmoEiTz8

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5590596148:AAFELAezvK26mOp3KWIpAgxEVzQMQ56n6zg/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe
    "C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3396
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oXIqehGQb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3140
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oXIqehGQb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B98.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2344
    • C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe
      "C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"
      2⤵
        PID:2684
      • C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe
        "C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:4912

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      6949beda7a877d3e926a0d1a3842a8be

      SHA1

      b6752256e1166321460c16f76bd5f0484f4da425

      SHA256

      20597e7067b19c0ca4739792cacad34cdda282fd2d64a7bfcc8e487b890b574e

      SHA512

      eb3f883e7e02dc382d8262acfad4a3083c152bbd665a2b78834cfa18708b6260fbe5f51b80fcb33d46b28febdac8ef76bea5ca39826d3e3d9b50013ae21487e2

    • C:\Users\Admin\AppData\Local\Temp\tmp7B98.tmp

      Filesize

      1KB

      MD5

      08aed8f3c11fe87e42e09d05bc0f1154

      SHA1

      d440f1332fde3a1a1703f920ac857e13cf075abf

      SHA256

      5bf65493e9fd30473612dd6cd8392e17392fe4f26e8da9be82a6e189443a28c2

      SHA512

      958e02f82fdfe9e07312b8dc93a9ad3420179c33c091e1779f78baab9ca5347473874b1e0fe73cee519b9cc9679562fca5e36ed4b5629f5f51d43dfa1a0bd545

    • memory/3140-149-0x0000000006470000-0x000000000648E000-memory.dmp

      Filesize

      120KB

    • memory/3140-160-0x0000000007B10000-0x0000000007B18000-memory.dmp

      Filesize

      32KB

    • memory/3140-159-0x0000000007B30000-0x0000000007B4A000-memory.dmp

      Filesize

      104KB

    • memory/3140-158-0x0000000007A20000-0x0000000007A2E000-memory.dmp

      Filesize

      56KB

    • memory/3140-157-0x0000000007A70000-0x0000000007B06000-memory.dmp

      Filesize

      600KB

    • memory/3140-156-0x0000000007860000-0x000000000786A000-memory.dmp

      Filesize

      40KB

    • memory/3140-143-0x0000000005430000-0x0000000005452000-memory.dmp

      Filesize

      136KB

    • memory/3140-155-0x00000000077F0000-0x000000000780A000-memory.dmp

      Filesize

      104KB

    • memory/3140-144-0x00000000054D0000-0x0000000005536000-memory.dmp

      Filesize

      408KB

    • memory/3140-152-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

      Filesize

      304KB

    • memory/3140-150-0x00000000074C0000-0x00000000074F2000-memory.dmp

      Filesize

      200KB

    • memory/3160-135-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

      Filesize

      40KB

    • memory/3160-133-0x00000000054B0000-0x0000000005A54000-memory.dmp

      Filesize

      5.6MB

    • memory/3160-132-0x0000000000430000-0x0000000000538000-memory.dmp

      Filesize

      1.0MB

    • memory/3160-136-0x0000000008D10000-0x0000000008DAC000-memory.dmp

      Filesize

      624KB

    • memory/3160-134-0x0000000004F00000-0x0000000004F92000-memory.dmp

      Filesize

      584KB

    • memory/3396-145-0x0000000004FC0000-0x0000000005026000-memory.dmp

      Filesize

      408KB

    • memory/3396-154-0x00000000077C0000-0x0000000007E3A000-memory.dmp

      Filesize

      6.5MB

    • memory/3396-153-0x0000000006420000-0x000000000643E000-memory.dmp

      Filesize

      120KB

    • memory/3396-141-0x0000000005060000-0x0000000005688000-memory.dmp

      Filesize

      6.2MB

    • memory/3396-151-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

      Filesize

      304KB

    • memory/3396-138-0x0000000002540000-0x0000000002576000-memory.dmp

      Filesize

      216KB

    • memory/4912-148-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/4912-161-0x0000000006940000-0x0000000006990000-memory.dmp

      Filesize

      320KB