Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

f2b1dd5d70...5b.exe

windows7-x64

3

f2b1dd5d70...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2023, 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2b1dd5d709a7e606002f1b2a0cda30e07d1635b.exe

  • Size

    818KB

  • MD5

    056dbac271b4b97fac9016695f03be29

  • SHA1

    f2b1dd5d709a7e606002f1b2a0cda30e07d1635b

  • SHA256

    a67119e6131f2cf27b28044e3562d04abd86b62bcebbfa8ed7f4ecea90682f2d

  • SHA512

    6e9c26661573d89ec52e37e1c300bad30d215ffdddaddc8e1b357449c241f19e1dd19a44f14dff4d6c829efd8beeb165a03c4bcda0d853d981839ae84e727dbd

  • SSDEEP

    24576:keSqG4yPa46F0xM64kLOBLHK4FUgmaFq:ztWiFkLOBLHK4FUgm

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2b1dd5d709a7e606002f1b2a0cda30e07d1635b.exe
    "C:\Users\Admin\AppData\Local\Temp\f2b1dd5d709a7e606002f1b2a0cda30e07d1635b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uUnNpOcmAQf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uUnNpOcmAQf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3C0F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3844
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3C0F.tmp
    Filesize

    1KB

    MD5

    d19bc7f87086c3dd882441b8556095ea

    SHA1

    613f1ed4f2394d8597d429977a9441cf943c266c

    SHA256

    18acbff01e453aead79db120784eab1423a8954fb481ca57810a717c644af7a8

    SHA512

    a3822dcbb09f3a976a2aeede4490cd6048670b0c9368c87c85fd2e2d4f42f2bd779e68ed495e45eeb5d033596a05f4954d84dd5cf3bbfbee45e89dc2d13e1274

    Download Submit

  • memory/1816-146-0x0000000005B60000-0x0000000005BC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1816-152-0x0000000007480000-0x000000000749A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1816-156-0x00000000077C0000-0x00000000077DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1816-155-0x00000000076B0000-0x00000000076BE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1816-154-0x0000000007700000-0x0000000007796000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1816-139-0x0000000002850000-0x0000000002886000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1816-153-0x00000000074F0000-0x00000000074FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1816-141-0x00000000054C0000-0x0000000005AE8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1816-145-0x00000000053D0000-0x0000000005436000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1816-151-0x0000000007AD0000-0x000000000814A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1816-147-0x0000000006180000-0x000000000619E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1816-150-0x0000000006740000-0x000000000675E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1816-157-0x00000000077A0000-0x00000000077A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1816-144-0x00000000051B0000-0x00000000051D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1816-148-0x0000000007140000-0x0000000007172000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1816-149-0x00000000703D0000-0x000000007041C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4376-134-0x0000000004CC0000-0x0000000004D52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4376-133-0x0000000005270000-0x0000000005814000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4376-136-0x0000000008A20000-0x0000000008ABC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4376-135-0x0000000004C80000-0x0000000004C8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4376-132-0x0000000000350000-0x0000000000424000-memory.dmp

    Filesize

    848KB

    Download

  • memory/4944-143-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4944-158-0x0000000006FD0000-0x0000000007020000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4944-159-0x00000000071F0000-0x00000000073B2000-memory.dmp

    Filesize

    1.8MB

    Download