Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2022, 20:07
Static task
static1
Behavioral task
behavioral1
Sample
Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe
Resource
win10v2004-20220812-en
General
-
Target
Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe
-
Size
1.0MB
-
MD5
412dc04cd285536555dd04346b3eafdd
-
SHA1
59e5a35ee4fc632044b418cac26778702b1ccd27
-
SHA256
0d645b8f0f44784c4f9a2d883a1a1efd6432127988ed94b3881c794c868dcddd
-
SHA512
afd2348032df1f0c68631aa1f3bb8c1013245508256c7fc94275c48d721fa43f6308544aaf749d5ab718f35f179cd94ea18a3a517cfd25749b3e8838ab166334
-
SSDEEP
24576:kYWPB86eyZ6qTh5o6m9nffXgHEiTznmb1g3R3XR86:k326J6WLmoEiTz8
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5590596148:AAFELAezvK26mOp3KWIpAgxEVzQMQ56n6zg/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3160 set thread context of 4912 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2344 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 3140 powershell.exe 3396 powershell.exe 4912 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 4912 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 3140 powershell.exe 3396 powershell.exe 4912 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3396 powershell.exe Token: SeDebugPrivilege 3140 powershell.exe Token: SeDebugPrivilege 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe Token: SeDebugPrivilege 4912 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4912 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3160 wrote to memory of 3396 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 91 PID 3160 wrote to memory of 3396 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 91 PID 3160 wrote to memory of 3396 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 91 PID 3160 wrote to memory of 3140 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 93 PID 3160 wrote to memory of 3140 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 93 PID 3160 wrote to memory of 3140 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 93 PID 3160 wrote to memory of 2344 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 95 PID 3160 wrote to memory of 2344 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 95 PID 3160 wrote to memory of 2344 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 95 PID 3160 wrote to memory of 2684 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 97 PID 3160 wrote to memory of 2684 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 97 PID 3160 wrote to memory of 2684 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 97 PID 3160 wrote to memory of 4912 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 98 PID 3160 wrote to memory of 4912 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 98 PID 3160 wrote to memory of 4912 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 98 PID 3160 wrote to memory of 4912 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 98 PID 3160 wrote to memory of 4912 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 98 PID 3160 wrote to memory of 4912 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 98 PID 3160 wrote to memory of 4912 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 98 PID 3160 wrote to memory of 4912 3160 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe 98 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oXIqehGQb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oXIqehGQb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B98.tmp"2⤵
- Creates scheduled task(s)
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"2⤵PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"C:\Users\Admin\AppData\Local\Temp\Proof of Payment_Presentation of needed production materials with technical drawings componenet.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4912
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD56949beda7a877d3e926a0d1a3842a8be
SHA1b6752256e1166321460c16f76bd5f0484f4da425
SHA25620597e7067b19c0ca4739792cacad34cdda282fd2d64a7bfcc8e487b890b574e
SHA512eb3f883e7e02dc382d8262acfad4a3083c152bbd665a2b78834cfa18708b6260fbe5f51b80fcb33d46b28febdac8ef76bea5ca39826d3e3d9b50013ae21487e2
-
Filesize
1KB
MD508aed8f3c11fe87e42e09d05bc0f1154
SHA1d440f1332fde3a1a1703f920ac857e13cf075abf
SHA2565bf65493e9fd30473612dd6cd8392e17392fe4f26e8da9be82a6e189443a28c2
SHA512958e02f82fdfe9e07312b8dc93a9ad3420179c33c091e1779f78baab9ca5347473874b1e0fe73cee519b9cc9679562fca5e36ed4b5629f5f51d43dfa1a0bd545