Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10/02/2023, 12:58
Static task
static1
Behavioral task
behavioral1
Sample
Re Overdue_2022 & payment reminder.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Re Overdue_2022 & payment reminder.exe
Resource
win10v2004-20220812-en
General
-
Target
Re Overdue_2022 & payment reminder.exe
-
Size
899KB
-
MD5
65f91978b009e38d5c12c1c8e6b750d9
-
SHA1
b2706dbbe0a417030e9288851276113a4ff59fc5
-
SHA256
5b9beaf5bcc7cdcf72bf643b20bb15027536aae92fa0f33cdffbd02cf7297cbb
-
SHA512
25c660e2f807b87f29caca8d322398e0ab40e0705be7a9220aea1c09bea9142a64514919eb962c4ab373b17821df8afe2d144371f5278fd3db582cc0a6b2a254
-
SSDEEP
24576:RMRYTynuUNAisQeKddJgQQhTL6lCueDm:zQzXWhKCuea
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bosphoreqroup.com - Port:
587 - Username:
[email protected] - Password:
password2022@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yGbzOMp = "C:\\Users\\Admin\\AppData\\Roaming\\yGbzOMp\\yGbzOMp.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1276 set thread context of 952 1276 Re Overdue_2022 & payment reminder.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1696 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1276 Re Overdue_2022 & payment reminder.exe 1276 Re Overdue_2022 & payment reminder.exe 1276 Re Overdue_2022 & payment reminder.exe 524 powershell.exe 572 powershell.exe 1276 Re Overdue_2022 & payment reminder.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1276 Re Overdue_2022 & payment reminder.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 952 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1276 wrote to memory of 572 1276 Re Overdue_2022 & payment reminder.exe 27 PID 1276 wrote to memory of 572 1276 Re Overdue_2022 & payment reminder.exe 27 PID 1276 wrote to memory of 572 1276 Re Overdue_2022 & payment reminder.exe 27 PID 1276 wrote to memory of 572 1276 Re Overdue_2022 & payment reminder.exe 27 PID 1276 wrote to memory of 524 1276 Re Overdue_2022 & payment reminder.exe 29 PID 1276 wrote to memory of 524 1276 Re Overdue_2022 & payment reminder.exe 29 PID 1276 wrote to memory of 524 1276 Re Overdue_2022 & payment reminder.exe 29 PID 1276 wrote to memory of 524 1276 Re Overdue_2022 & payment reminder.exe 29 PID 1276 wrote to memory of 1696 1276 Re Overdue_2022 & payment reminder.exe 31 PID 1276 wrote to memory of 1696 1276 Re Overdue_2022 & payment reminder.exe 31 PID 1276 wrote to memory of 1696 1276 Re Overdue_2022 & payment reminder.exe 31 PID 1276 wrote to memory of 1696 1276 Re Overdue_2022 & payment reminder.exe 31 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 PID 1276 wrote to memory of 952 1276 Re Overdue_2022 & payment reminder.exe 33 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Re Overdue_2022 & payment reminder.exe"C:\Users\Admin\AppData\Local\Temp\Re Overdue_2022 & payment reminder.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Re Overdue_2022 & payment reminder.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mZohOAEGFL.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZohOAEGFL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA12.tmp"2⤵
- Creates scheduled task(s)
PID:1696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:952
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52ac1b955cb86f0f4f453ee3fb8020673
SHA105d90f3511af1e2dbd72a43cea40d0bd11311d54
SHA256d73a29cb64a96a3c3cdc05f57710e947b738de7efa7a06c61c16bd7aa48f0129
SHA512881178ce3ae1c808d90055a56f25badb352b095fac8e939247ca31e31f72f9c6ff1f8bc3c9032c3612dd943f5010b4ecd0e4d712d5e156e174657470270ae517
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD526377cab800dd3a81f80c8f67c5118de
SHA1029121135b05b2b314afdaabec380f0dde085d19
SHA256517f9aa2a003b8c3994b847f10c612f2da227a30592056f5cd1d48fade286577
SHA5122ece126ea6d9726d3c162e7b0243add49a7f1b77e3521a5b2922978d7c22f107937ae442a76db95eeddf877338168e76bf530e78e56244523a3d13703aeb16ec