Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

shipping document.exe

windows7-x64

10

shipping document.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    14/02/2023, 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shipping document.exe

  • Size

    562KB

  • MD5

    303efa74e4e9cf4a07a685d45b62b2a8

  • SHA1

    43b21136f103e62f2af9745d3ffaec9883a52b66

  • SHA256

    7878c151e7275b02792479eb673f4406f15aca3242e4b525ddecda93c06ea312

  • SHA512

    b95109a37d83c735e20a37dbecfb3aba712f0e2460c329c7db9cc28b884ad37af5b2e42ff5beb6afe5798440cbd6108c85cf8d4890c06140f4c80dfa2976eda9

  • SSDEEP

    12288:raFFZ6wajEsd1U+WvDeToTopNGpR6bxRXO/5TiTm4HoFzLj:g61jEsvSYoT8w6bx1O/BiTjozL

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shipping document.exe
    "C:\Users\Admin\AppData\Local\Temp\shipping document.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping document.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CyWJwnu.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:468
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CyWJwnu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE12.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:616
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1648

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpBE12.tmp
    Filesize

    1KB

    MD5

    25b0ad286a47450f2f9ce722a82876e1

    SHA1

    f1fc7a45fe2bb3d35f47a31575a665e537df707a

    SHA256

    6294616e5c16cfe0c65be978bdb5a42554c888cd5859fc8bba047c174726ebc2

    SHA512

    b7284b1b7ce408c734f0c73c74f31853194590ef5cdc4ca0cb16231521e57d03708800e51bb2fa776def4bef55020562ae9434463c8a2d75e7fa94d101642b2e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    c76fe2b327960693e518bbc85533b5b1

    SHA1

    cd5914ea2c6e2f23a2dc1dcb3bef0659f8aea6b1

    SHA256

    074eeece7178f2b1d994ac5d23088a878b8450ae8e8fd7a997fddcebad30acd9

    SHA512

    e15448320f25561c761ad7585243aac3b6442858460270189e76baa62f231c03dfdd49532347c88aad78efb4fbb1cad603b0ccd356f1b0d74dafb859d325ebba

    Download Submit

  • memory/468-82-0x000000006EA90000-0x000000006F03B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/468-79-0x000000006EA90000-0x000000006F03B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1320-54-0x00000000001B0000-0x0000000000242000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1320-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1320-56-0x0000000000360000-0x0000000000374000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1320-57-0x0000000000490000-0x000000000049C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1320-58-0x0000000005B10000-0x0000000005B90000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1320-66-0x0000000004380000-0x00000000043B2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1648-72-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1648-70-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1648-71-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1648-68-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1648-75-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1648-77-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1648-67-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1816-80-0x000000006EA90000-0x000000006F03B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1816-81-0x000000006EA90000-0x000000006F03B000-memory.dmp

    Filesize

    5.7MB

    Download