Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

No. I20220052.exe

windows7-x64

10

No. I20220052.exe

windows10-2004-x64

10

Resubmissions

22/03/2023, 10:18

230322-mbyqgsab6x 10

19/03/2023, 13:12

230319-qfgjjsge22 10

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2023, 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    No. I20220052.exe

  • Size

    518KB

  • MD5

    d7bbc6ef7a09d615e3b8c864b83a03f2

  • SHA1

    e5c05e7a380017c40eb766d7029414c4edad264b

  • SHA256

    2f40f6ef3c46c7e7a51531385abc337e60fed2a22d4a604e39c94ac05e95e03b

  • SHA512

    6e2cae2b05d0839bf09716024bfe93ebf95073f9fa3d211e662e36653c47ae96722c50a41ab66250ff2f3d474382116804e685952791c7218d6c0f251e571533

  • SSDEEP

    12288:sPqlMdaMAUQ1wQhHV7MyEqqpeabdcfOYuMAv3npMovIn05dqrlb:sikqTfrE3PbdlY6Ghb

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\No. I20220052.exe
    "C:\Users\Admin\AppData\Local\Temp\No. I20220052.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
      2⤵
        PID:1588
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
        2⤵
          PID:1792
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
          2⤵
            PID:1568
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
            2⤵
              PID:944
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
              2⤵
                PID:572
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                2⤵
                  PID:1424
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
                  2⤵
                    PID:436
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
                    2⤵
                      PID:1148
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                      2⤵
                      • Accesses Microsoft Outlook profiles
                      • Suspicious use of AdjustPrivilegeToken
                      • outlook_office_path
                      • outlook_win_path
                      PID:1012

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1012-57-0x0000000000400000-0x0000000000430000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/1012-59-0x0000000000400000-0x0000000000430000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/1012-61-0x0000000000400000-0x0000000000430000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/1012-62-0x0000000004850000-0x0000000004890000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/1012-63-0x0000000004850000-0x0000000004890000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/1240-54-0x0000000000F30000-0x0000000000FB6000-memory.dmp

                    Filesize

                    536KB

                    Download

                  • memory/1240-55-0x000000001B2C0000-0x000000001B340000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/1240-56-0x0000000000510000-0x000000000057E000-memory.dmp

                    Filesize

                    440KB

                    Download