Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2022, 04:31
Static task
static1
Behavioral task
behavioral1
Sample
f9e7203dfc0e2a439042e7bad0c6f332.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f9e7203dfc0e2a439042e7bad0c6f332.exe
Resource
win10v2004-20220812-en
General
-
Target
f9e7203dfc0e2a439042e7bad0c6f332.exe
-
Size
314KB
-
MD5
f9e7203dfc0e2a439042e7bad0c6f332
-
SHA1
3b49eb85fdaff3b409779d24ff72c460a3a8f8f9
-
SHA256
e324b443ec618a2d918e9be6a2a5868f0bff85f8e90bec619146f249585a1644
-
SHA512
1f73ff39c1d6ea81f256c34cb6045f89daaa9ea058306913843fee7cb2d577da8e0504f3dd27fe3cf4e4d68e78095e85bc45837b6442fd0482d51c9191aad515
-
SSDEEP
6144:rkwmeVzslFNRUiAnqb1KNt5IjaiKjAmsPHtyYHgl5dZBhrmFQC3Jr:WlFNR/AqMNLb1cbtwHdD5CJZr
Malware Config
Extracted
Protocol: ftp- Host:
ftp.valvulasthermovalve.cl - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
pid Process 4936 rxfmsypjq.exe 4884 rxfmsypjq.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rxfmsypjq.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rxfmsypjq.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rxfmsypjq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4936 set thread context of 4884 4936 rxfmsypjq.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4884 rxfmsypjq.exe 4884 rxfmsypjq.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4936 rxfmsypjq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4884 rxfmsypjq.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3040 wrote to memory of 4936 3040 f9e7203dfc0e2a439042e7bad0c6f332.exe 81 PID 3040 wrote to memory of 4936 3040 f9e7203dfc0e2a439042e7bad0c6f332.exe 81 PID 3040 wrote to memory of 4936 3040 f9e7203dfc0e2a439042e7bad0c6f332.exe 81 PID 4936 wrote to memory of 4884 4936 rxfmsypjq.exe 82 PID 4936 wrote to memory of 4884 4936 rxfmsypjq.exe 82 PID 4936 wrote to memory of 4884 4936 rxfmsypjq.exe 82 PID 4936 wrote to memory of 4884 4936 rxfmsypjq.exe 82 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rxfmsypjq.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rxfmsypjq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9e7203dfc0e2a439042e7bad0c6f332.exe"C:\Users\Admin\AppData\Local\Temp\f9e7203dfc0e2a439042e7bad0c6f332.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe"C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe" C:\Users\Admin\AppData\Local\Temp\ovwxxkyyoy.q2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe"C:\Users\Admin\AppData\Local\Temp\rxfmsypjq.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4884
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD5f16c23b9e889356cc209f3150feca6af
SHA13700e422799fe8ff121d8b18036574449fdca819
SHA256fc1be8acda45d98af10cb4daf0210c4ac055147acca9e683dbe86fb76d56374b
SHA512d1d14f07187bc44625e12d827db32f584710684a57b05e468485c35a345d924e640baf9468684287c98fe6fef5506421d0af6d8b02176503a4d9ba08b925aa6c
-
Filesize
5KB
MD5eaf9f4c207026da04735a18ff267307e
SHA1a0cdfe4c32edf5d49cad4d7284284f218921d391
SHA25688711b5b48c8fe2c2ba89a081229afbc335432a2e76972f68ac7913ca6d94b40
SHA5123d1210b07a6f3520766accdffa41b0b877e28ab9ec239b8564e123bee37b3dabaad0e799e0bffc34ee48faf148f43edc260a8d6641782039da8d6004f95fd4cc
-
Filesize
101KB
MD5c58a5ad3848abd4d07b4b81a1b24acef
SHA10f2b639b3523e7e6ddda984a28bc14c72830ec95
SHA25675ffb2be6a0b9f5b5360d4cac24e3ffd02d6c7d56c4bd34c94f52c8d05d54475
SHA51257aa1ebd420aad27261bec7902a5f5b0b9bfe89d4387329a95c3ce0ba4c62a6306dd38e44f378fac6b574dc14c8ff938782622331c472ecf28527a831d4c0daa
-
Filesize
101KB
MD5c58a5ad3848abd4d07b4b81a1b24acef
SHA10f2b639b3523e7e6ddda984a28bc14c72830ec95
SHA25675ffb2be6a0b9f5b5360d4cac24e3ffd02d6c7d56c4bd34c94f52c8d05d54475
SHA51257aa1ebd420aad27261bec7902a5f5b0b9bfe89d4387329a95c3ce0ba4c62a6306dd38e44f378fac6b574dc14c8ff938782622331c472ecf28527a831d4c0daa
-
Filesize
101KB
MD5c58a5ad3848abd4d07b4b81a1b24acef
SHA10f2b639b3523e7e6ddda984a28bc14c72830ec95
SHA25675ffb2be6a0b9f5b5360d4cac24e3ffd02d6c7d56c4bd34c94f52c8d05d54475
SHA51257aa1ebd420aad27261bec7902a5f5b0b9bfe89d4387329a95c3ce0ba4c62a6306dd38e44f378fac6b574dc14c8ff938782622331c472ecf28527a831d4c0daa