Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
10/03/2023, 10:51
General
-
Target
4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe
-
Size
320KB
-
MD5
c50d0e6336b2a71bebcf898513c337a7
-
SHA1
209a96f4252de81b40ada8137373f96e51acd897
-
SHA256
4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c
-
SHA512
c13d1582f7773191a1ce599da7ca453f2ef7d4cb651edbbd9bb69b102165b91bbabf92cb57e01fbbca33a8a25e821d80938e3debdff29b526781b587dd2628b2
-
SSDEEP
6144:vYa6CRBAqdiNnbGL0cIizDZEzAapf3iNQUoNEr6Z2HW9HcWZR:vYkRyrnbe0czvWzAi3iaN1f8OR
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 4 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe"C:\Users\Admin\AppData\Local\Temp\4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe"C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe" C:\Users\Admin\AppData\Local\Temp\vclabid.jr2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe"C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
53KB
MD5f0b303f0c99dddfef157a249cd995402
SHA1a25ffaeafba7d7a05700cf758c53bb8e22cb1807
SHA256e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc
SHA512c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec
-
Filesize
314KB
MD521155fd7bc83a871bca64e88240bb56d
SHA130a25c370289d88be23b18a0c923fef1affac3a6
SHA256c12bea3eedbee6372bbce59d77cac83eed4b73e4fbc226c76eddbdc9c960e624
SHA5126f0c1baf8572be8206ed9d8d3d5fdef8730291551101a35bacf50ca9ad31271bfd1ea8d9b7c5bde8508e150eb8c14adfb57c876afb50afb3f79115bb208f44ee
-
Filesize
5KB
MD578f090f09575e547327e1808ffe67ce9
SHA16bee03daf2d617e4bc1a4aa994e4cf65ce41975d
SHA25614b0105745596469c85e789c350b172e401342ff21079d155ab38e804a736a8e
SHA512a76d139ce3ce984e0f2249570cedc0a7173e4080563e8d99f9b1d01150c4c2400546bd17cea145776f85a0312bc473efd5b7c2a754802c8b301c78a59b9b2022
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
64KB
-
Filesize
312KB
-
Filesize
64KB
-
Filesize
312KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB