Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2022, 04:31

General

  • Target

    f9e7203dfc0e2a439042e7bad0c6f332.exe

  • Size

    314KB

  • MD5

    f9e7203dfc0e2a439042e7bad0c6f332

  • SHA1

    3b49eb85fdaff3b409779d24ff72c460a3a8f8f9

  • SHA256

    e324b443ec618a2d918e9be6a2a5868f0bff85f8e90bec619146f249585a1644

  • SHA512

    1f73ff39c1d6ea81f256c34cb6045f89daaa9ea058306913843fee7cb2d577da8e0504f3dd27fe3cf4e4d68e78095e85bc45837b6442fd0482d51c9191aad515

  • SSDEEP

    6144:rkwmeVzslFNRUiAnqb1KNt5IjaiKjAmsPHtyYHgl5dZBhrmFQC3Jr:WlFNR/AqMNLb1cbtwHdD5CJZr

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.valvulasthermovalve.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!!

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9e7203dfc0e2a439042e7bad0c6f332.exe
    "C:\Users\Admin\AppData\Local\Temp\f9e7203dfc0e2a439042e7bad0c6f332.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe
      "C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe" C:\Users\Admin\AppData\Local\Temp\ovwxxkyyoy.q
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe
        "C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4884

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\igcijvg.sh

    Filesize

    287KB

    MD5

    f16c23b9e889356cc209f3150feca6af

    SHA1

    3700e422799fe8ff121d8b18036574449fdca819

    SHA256

    fc1be8acda45d98af10cb4daf0210c4ac055147acca9e683dbe86fb76d56374b

    SHA512

    d1d14f07187bc44625e12d827db32f584710684a57b05e468485c35a345d924e640baf9468684287c98fe6fef5506421d0af6d8b02176503a4d9ba08b925aa6c

  • C:\Users\Admin\AppData\Local\Temp\ovwxxkyyoy.q

    Filesize

    5KB

    MD5

    eaf9f4c207026da04735a18ff267307e

    SHA1

    a0cdfe4c32edf5d49cad4d7284284f218921d391

    SHA256

    88711b5b48c8fe2c2ba89a081229afbc335432a2e76972f68ac7913ca6d94b40

    SHA512

    3d1210b07a6f3520766accdffa41b0b877e28ab9ec239b8564e123bee37b3dabaad0e799e0bffc34ee48faf148f43edc260a8d6641782039da8d6004f95fd4cc

  • C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe

    Filesize

    101KB

    MD5

    c58a5ad3848abd4d07b4b81a1b24acef

    SHA1

    0f2b639b3523e7e6ddda984a28bc14c72830ec95

    SHA256

    75ffb2be6a0b9f5b5360d4cac24e3ffd02d6c7d56c4bd34c94f52c8d05d54475

    SHA512

    57aa1ebd420aad27261bec7902a5f5b0b9bfe89d4387329a95c3ce0ba4c62a6306dd38e44f378fac6b574dc14c8ff938782622331c472ecf28527a831d4c0daa

  • C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe

    Filesize

    101KB

    MD5

    c58a5ad3848abd4d07b4b81a1b24acef

    SHA1

    0f2b639b3523e7e6ddda984a28bc14c72830ec95

    SHA256

    75ffb2be6a0b9f5b5360d4cac24e3ffd02d6c7d56c4bd34c94f52c8d05d54475

    SHA512

    57aa1ebd420aad27261bec7902a5f5b0b9bfe89d4387329a95c3ce0ba4c62a6306dd38e44f378fac6b574dc14c8ff938782622331c472ecf28527a831d4c0daa

  • C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe

    Filesize

    101KB

    MD5

    c58a5ad3848abd4d07b4b81a1b24acef

    SHA1

    0f2b639b3523e7e6ddda984a28bc14c72830ec95

    SHA256

    75ffb2be6a0b9f5b5360d4cac24e3ffd02d6c7d56c4bd34c94f52c8d05d54475

    SHA512

    57aa1ebd420aad27261bec7902a5f5b0b9bfe89d4387329a95c3ce0ba4c62a6306dd38e44f378fac6b574dc14c8ff938782622331c472ecf28527a831d4c0daa

  • memory/4884-139-0x00000000053A0000-0x0000000005944000-memory.dmp

    Filesize

    5.6MB

  • memory/4884-140-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

  • memory/4884-141-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

    Filesize

    624KB

  • memory/4884-142-0x0000000005E00000-0x0000000005E66000-memory.dmp

    Filesize

    408KB

  • memory/4884-143-0x0000000006290000-0x00000000062E0000-memory.dmp

    Filesize

    320KB

  • memory/4884-144-0x0000000006860000-0x00000000068F2000-memory.dmp

    Filesize

    584KB

  • memory/4884-145-0x0000000006940000-0x000000000694A000-memory.dmp

    Filesize

    40KB