Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

DHL shipme...ls.exe

windows7-x64

10

DHL shipme...ls.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2022, 04:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL shipment details.exe

  • Size

    875KB

  • MD5

    393672bb42bc083ac95b87dfb7747b8c

  • SHA1

    8f843f8f0853dce4d9dde38e26a677886c0180b0

  • SHA256

    5c860ed368d528130c6e7e0349659248bd2ed17831b72725f23a41363c802606

  • SHA512

    207c41933c6ea35685218e0cce37c05e398349f2efe124cfd070b69dc9a4edb10340998e1487129d35c0af7db0fd315b9dc198b1537acc3173913daa1882ce0b

  • SSDEEP

    24576:o+H80Dr5z8em/TkTWG23DOghM1CcsfJx9:TJ8b/QTfkDOk7Jx

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    graceofgod@amenn

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL shipment details.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL shipment details.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLnbPbmJ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3296
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLnbPbmJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1FDC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4956
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:5104

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1FDC.tmp
    Filesize

    1KB

    MD5

    c39897e7fbcec357a168d2bd421c324d

    SHA1

    68fdce35b234cc3af4a266cefbaabeb3848212b1

    SHA256

    0be2caab1e01a3e447cf0eda37eab9f5e22370ad0ba538b2e5c56514c3967cb2

    SHA512

    ddb0b97e0653e5920990ff35788999becf9a6d746d0f91b59ef1e9beadb45581dc0e589c6ff3e630e672e146a53e2d9b099c4dcf2fb40c54b5c10557d441d0d2

    Download Submit

  • memory/1492-133-0x0000000005B60000-0x0000000006104000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1492-134-0x00000000054C0000-0x0000000005552000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1492-135-0x0000000005570000-0x000000000557A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1492-136-0x0000000008050000-0x00000000080EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1492-132-0x0000000000A50000-0x0000000000B32000-memory.dmp

    Filesize

    904KB

    Download

  • memory/3296-150-0x0000000006720000-0x000000000673E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3296-149-0x0000000070F60000-0x0000000070FAC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3296-157-0x00000000077B0000-0x00000000077B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3296-142-0x00000000053B0000-0x00000000059D8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3296-156-0x00000000077D0000-0x00000000077EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3296-155-0x00000000076C0000-0x00000000076CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3296-144-0x00000000051E0000-0x0000000005202000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3296-145-0x00000000059E0000-0x0000000005A46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3296-146-0x0000000005B40000-0x0000000005BA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3296-147-0x0000000006180000-0x000000000619E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3296-148-0x0000000007150000-0x0000000007182000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3296-139-0x0000000004C00000-0x0000000004C36000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3296-151-0x0000000007AD0000-0x000000000814A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3296-152-0x0000000007490000-0x00000000074AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3296-153-0x0000000007500000-0x000000000750A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3296-154-0x0000000007710000-0x00000000077A6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/5104-143-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5104-158-0x0000000006420000-0x0000000006470000-memory.dmp

    Filesize

    320KB

    Download