Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10/03/2023, 10:51
Static task
static1
Behavioral task
behavioral1
Sample
4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe
Resource
win10v2004-20230220-en
General
-
Target
4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe
-
Size
320KB
-
MD5
c50d0e6336b2a71bebcf898513c337a7
-
SHA1
209a96f4252de81b40ada8137373f96e51acd897
-
SHA256
4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c
-
SHA512
c13d1582f7773191a1ce599da7ca453f2ef7d4cb651edbbd9bb69b102165b91bbabf92cb57e01fbbca33a8a25e821d80938e3debdff29b526781b587dd2628b2
-
SSDEEP
6144:vYa6CRBAqdiNnbGL0cIizDZEzAapf3iNQUoNEr6Z2HW9HcWZR:vYkRyrnbe0czvWzAi3iaN1f8OR
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 3 IoCs
resource yara_rule behavioral1/memory/1528-69-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral1/memory/1528-72-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral1/memory/1528-74-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
pid Process 2000 dvqwjgk.exe 1528 dvqwjgk.exe -
Loads dropped DLL 5 IoCs
pid Process 2044 4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe 2044 4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe 2000 dvqwjgk.exe 268 dw20.exe 268 dw20.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2000 set thread context of 1528 2000 dvqwjgk.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1528 dvqwjgk.exe 1528 dvqwjgk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 268 dw20.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2000 dvqwjgk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1528 dvqwjgk.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2000 2044 4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe 28 PID 2044 wrote to memory of 2000 2044 4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe 28 PID 2044 wrote to memory of 2000 2044 4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe 28 PID 2044 wrote to memory of 2000 2044 4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe 28 PID 2000 wrote to memory of 1528 2000 dvqwjgk.exe 29 PID 2000 wrote to memory of 1528 2000 dvqwjgk.exe 29 PID 2000 wrote to memory of 1528 2000 dvqwjgk.exe 29 PID 2000 wrote to memory of 1528 2000 dvqwjgk.exe 29 PID 2000 wrote to memory of 1528 2000 dvqwjgk.exe 29 PID 1528 wrote to memory of 268 1528 dvqwjgk.exe 30 PID 1528 wrote to memory of 268 1528 dvqwjgk.exe 30 PID 1528 wrote to memory of 268 1528 dvqwjgk.exe 30 PID 1528 wrote to memory of 268 1528 dvqwjgk.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe"C:\Users\Admin\AppData\Local\Temp\4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe"C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe" C:\Users\Admin\AppData\Local\Temp\vclabid.jr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe"C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5204⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:268
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
314KB
MD521155fd7bc83a871bca64e88240bb56d
SHA130a25c370289d88be23b18a0c923fef1affac3a6
SHA256c12bea3eedbee6372bbce59d77cac83eed4b73e4fbc226c76eddbdc9c960e624
SHA5126f0c1baf8572be8206ed9d8d3d5fdef8730291551101a35bacf50ca9ad31271bfd1ea8d9b7c5bde8508e150eb8c14adfb57c876afb50afb3f79115bb208f44ee
-
Filesize
5KB
MD578f090f09575e547327e1808ffe67ce9
SHA16bee03daf2d617e4bc1a4aa994e4cf65ce41975d
SHA25614b0105745596469c85e789c350b172e401342ff21079d155ab38e804a736a8e
SHA512a76d139ce3ce984e0f2249570cedc0a7173e4080563e8d99f9b1d01150c4c2400546bd17cea145776f85a0312bc473efd5b7c2a754802c8b301c78a59b9b2022
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec