Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

RFQ#86533-...EL.exe

windows7-x64

10

RFQ#86533-...EL.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2023, 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ#86533-UNITECH STEEL.exe

  • Size

    511KB

  • MD5

    24a89977403150a12cc80edfef8cba76

  • SHA1

    2ab1dbaf5a43dbfaed3f9c007f6ba2330674e1a1

  • SHA256

    506b482e8d326b6c5b603061768faa782cd3992f42fd13635405565ff6e438ee

  • SHA512

    83debdfe71aad18b60dae8d2e99bcb5256e4b3cc2aa1ed829078b714c186398d2b5b9cd8b0db138c5ca44bfdb37d7a3a2374f25ade663394ce1d4f958ba2e22b

  • SSDEEP

    6144:yYa6shAp081nNxvOjqKoeKZJL/P7SlRl7EYO886VEqWfWPF61X93:yYS6nvmjqKoeeVOlRlwfT6qfuI1N

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    +O-vH!=DoS8^

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ#86533-UNITECH STEEL.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ#86533-UNITECH STEEL.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\wbiajhae.exe
      "C:\Users\Admin\AppData\Local\Temp\wbiajhae.exe" C:\Users\Admin\AppData\Local\Temp\gicchqvb.gh
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Users\Admin\AppData\Local\Temp\wbiajhae.exe
        "C:\Users\Admin\AppData\Local\Temp\wbiajhae.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:100

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cvhqvjfdxp.mb
    Filesize

    266KB

    MD5

    4d1b445dd9303bd0de0ad0e0eacd3e86

    SHA1

    622d17dac5471cc10297d8bcf826b67fd811bfd7

    SHA256

    0dab7defef35b06e2ee8f081008b03d4b4aee78768f09fa339f7888a97dc1adc

    SHA512

    aec7646c268c93a4327830ca3180acb0fa197106e9df165afc7016dff458e2092a78eb58a5a800092399f143105e0e41937f87de6183a548612f0d0f2d120a18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gicchqvb.gh
    Filesize

    5KB

    MD5

    6f518f4cf16fe57286db69535be3eec6

    SHA1

    c9d81d8ce5bc3e98691ff20b0be170918d0fccfd

    SHA256

    d4f9edd22ae05a162ad746d52dd0ee2645f5d23484474d0a066154d5a943e3f0

    SHA512

    1fcd036ee693a3432e81271768dacceaafbf9c892c324bf07131897243060d8c39cb6941483dd53bf94bb91bd0c0117459e7fbcaf1a7ef02fc072561ae3d2cab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wbiajhae.exe
    Filesize

    59KB

    MD5

    0ff97438692fa1c5fe09ecf5dfd6512a

    SHA1

    06c7cae270bfa7e374e086adfad39471569569e4

    SHA256

    b61eb3feaa0a3de53108c94b4c69262ad70e8304b942b4c953427561abdb91b3

    SHA512

    90d659ba0a390a3e35ae35ef4c893182419213cab4a41b9140bca196b7ff49668d55119efd488c7a75c44396e0e17bc63d193dbfd7613e9c9f9a21cb277829e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wbiajhae.exe
    Filesize

    59KB

    MD5

    0ff97438692fa1c5fe09ecf5dfd6512a

    SHA1

    06c7cae270bfa7e374e086adfad39471569569e4

    SHA256

    b61eb3feaa0a3de53108c94b4c69262ad70e8304b942b4c953427561abdb91b3

    SHA512

    90d659ba0a390a3e35ae35ef4c893182419213cab4a41b9140bca196b7ff49668d55119efd488c7a75c44396e0e17bc63d193dbfd7613e9c9f9a21cb277829e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wbiajhae.exe
    Filesize

    59KB

    MD5

    0ff97438692fa1c5fe09ecf5dfd6512a

    SHA1

    06c7cae270bfa7e374e086adfad39471569569e4

    SHA256

    b61eb3feaa0a3de53108c94b4c69262ad70e8304b942b4c953427561abdb91b3

    SHA512

    90d659ba0a390a3e35ae35ef4c893182419213cab4a41b9140bca196b7ff49668d55119efd488c7a75c44396e0e17bc63d193dbfd7613e9c9f9a21cb277829e0

    Download Submit

  • memory/100-150-0x00000000053C0000-0x00000000053D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-152-0x00000000052C0000-0x0000000005326000-memory.dmp

    Filesize

    408KB

    Download

  • memory/100-144-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/100-145-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/100-147-0x0000000005980000-0x0000000005F24000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/100-148-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/100-149-0x00000000053C0000-0x00000000053D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-161-0x0000000006DA0000-0x0000000006F62000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/100-151-0x00000000053C0000-0x00000000053D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-142-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/100-153-0x00000000053C0000-0x00000000053D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-155-0x00000000053C0000-0x00000000053D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-154-0x00000000053C0000-0x00000000053D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-156-0x00000000053C0000-0x00000000053D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-157-0x00000000053C0000-0x00000000053D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-158-0x0000000006940000-0x00000000069D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/100-159-0x0000000006B40000-0x0000000006B4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/100-160-0x0000000006B80000-0x0000000006BD0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/812-140-0x0000000000720000-0x0000000000722000-memory.dmp

    Filesize

    8KB

    Download