Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

p004575839574947.exe

windows7-x64

10

p004575839574947.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2023, 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    p004575839574947.exe

  • Size

    1.1MB

  • MD5

    f90d87222db82285ce87a988b372524a

  • SHA1

    b4a571be12134d9ff6c91fc8fc46b8f53ba3d176

  • SHA256

    53873190e732fcbe931729aadb3d4f878d74bd17dc64c282b4efa1f87d021b43

  • SHA512

    299c35d9c16ce2479b104787d04f50f644db735f540a148d07cef32a78f01343d15b9c7610ebd88482eec76e600c80f4b33152228d4af69cf43c29aa72a4e116

  • SSDEEP

    12288:00ZeZOUnaKuQdJFUbDLYqid+3eo9geDCknIfblyi7uDvOI8fpXVNLhc5LiJMUZCp:9KgoYi3ImgiSs/1cNQz9oG

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\p004575839574947.exe
    "C:\Users\Admin\AppData\Local\Temp\p004575839574947.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
      2⤵
        PID:2788
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
        2⤵
          PID:4044
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
          2⤵
            PID:4928
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
            2⤵
              PID:4800
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
              2⤵
                PID:4912
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
                2⤵
                  PID:4420
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
                  2⤵
                    PID:1312
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
                    2⤵
                      PID:4440
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
                      2⤵
                        PID:3768
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
                        2⤵
                          PID:1684
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
                          2⤵
                            PID:1028
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                            2⤵
                              PID:3576
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
                              2⤵
                                PID:2308
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
                                2⤵
                                  PID:4456
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                  • Accesses Microsoft Outlook profiles
                                  • Suspicious use of AdjustPrivilegeToken
                                  • outlook_office_path
                                  • outlook_win_path
                                  PID:1480

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/1480-135-0x0000000000400000-0x0000000000430000-memory.dmp

                                Filesize

                                192KB

                                Download

                              • memory/1480-137-0x0000000005970000-0x0000000005F14000-memory.dmp

                                Filesize

                                5.6MB

                                Download

                              • memory/1480-138-0x0000000005310000-0x0000000005320000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/1480-139-0x0000000005320000-0x0000000005386000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/1480-140-0x0000000006440000-0x00000000064D2000-memory.dmp

                                Filesize

                                584KB

                                Download

                              • memory/1480-141-0x0000000006420000-0x000000000642A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/1480-142-0x0000000006640000-0x0000000006690000-memory.dmp

                                Filesize

                                320KB

                                Download

                              • memory/1480-143-0x0000000006860000-0x0000000006A22000-memory.dmp

                                Filesize

                                1.8MB

                                Download

                              • memory/1480-144-0x0000000005310000-0x0000000005320000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4632-133-0x0000018C913A0000-0x0000018C914C6000-memory.dmp

                                Filesize

                                1.1MB

                                Download

                              • memory/4632-134-0x0000018C930A0000-0x0000018C930B0000-memory.dmp

                                Filesize

                                64KB

                                Download