Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
67s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11/05/2023, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
Euro Swift Copy·PDF.scr
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Euro Swift Copy·PDF.scr
Resource
win10v2004-20230220-en
General
-
Target
Euro Swift Copy·PDF.scr
-
Size
1.3MB
-
MD5
b67a90c8381e471791cc4e5f7e43829f
-
SHA1
7ecac5583356989ae599e6a1a096c791b350e7c7
-
SHA256
6e19455a9618b20fae8404a9b3c9f4f37d2b2cf032faf61d3837b59bf9497666
-
SHA512
04a8f5ca1793c2bc35451ab617416d2b93a8be3471bb73305d359c96b818b2265e702e37425ee2aafee5e3132cd1a01e235df1174bdee23e3a2b1e694be6d555
-
SSDEEP
24576:zCdQy7r3oUV2nJEFQ/S26klFhX1Ar7QemnokIUSSm0U:eXgKF4S2z/XOed
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
kvhujpowkfpycpdf - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wavadjybz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Yqjyegcblwb\\Wavadjybz.exe\"" Euro Swift Copy·PDF.scr -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2028 set thread context of 556 2028 Euro Swift Copy·PDF.scr 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 308 ipconfig.exe 676 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2028 Euro Swift Copy·PDF.scr Token: SeDebugPrivilege 672 powershell.exe Token: SeDebugPrivilege 556 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 556 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2028 wrote to memory of 296 2028 Euro Swift Copy·PDF.scr 28 PID 2028 wrote to memory of 296 2028 Euro Swift Copy·PDF.scr 28 PID 2028 wrote to memory of 296 2028 Euro Swift Copy·PDF.scr 28 PID 2028 wrote to memory of 296 2028 Euro Swift Copy·PDF.scr 28 PID 296 wrote to memory of 308 296 cmd.exe 30 PID 296 wrote to memory of 308 296 cmd.exe 30 PID 296 wrote to memory of 308 296 cmd.exe 30 PID 296 wrote to memory of 308 296 cmd.exe 30 PID 2028 wrote to memory of 672 2028 Euro Swift Copy·PDF.scr 31 PID 2028 wrote to memory of 672 2028 Euro Swift Copy·PDF.scr 31 PID 2028 wrote to memory of 672 2028 Euro Swift Copy·PDF.scr 31 PID 2028 wrote to memory of 672 2028 Euro Swift Copy·PDF.scr 31 PID 2028 wrote to memory of 1560 2028 Euro Swift Copy·PDF.scr 33 PID 2028 wrote to memory of 1560 2028 Euro Swift Copy·PDF.scr 33 PID 2028 wrote to memory of 1560 2028 Euro Swift Copy·PDF.scr 33 PID 2028 wrote to memory of 1560 2028 Euro Swift Copy·PDF.scr 33 PID 1560 wrote to memory of 676 1560 cmd.exe 35 PID 1560 wrote to memory of 676 1560 cmd.exe 35 PID 1560 wrote to memory of 676 1560 cmd.exe 35 PID 1560 wrote to memory of 676 1560 cmd.exe 35 PID 2028 wrote to memory of 556 2028 Euro Swift Copy·PDF.scr 36 PID 2028 wrote to memory of 556 2028 Euro Swift Copy·PDF.scr 36 PID 2028 wrote to memory of 556 2028 Euro Swift Copy·PDF.scr 36 PID 2028 wrote to memory of 556 2028 Euro Swift Copy·PDF.scr 36 PID 2028 wrote to memory of 556 2028 Euro Swift Copy·PDF.scr 36 PID 2028 wrote to memory of 556 2028 Euro Swift Copy·PDF.scr 36 PID 2028 wrote to memory of 556 2028 Euro Swift Copy·PDF.scr 36 PID 2028 wrote to memory of 556 2028 Euro Swift Copy·PDF.scr 36 PID 2028 wrote to memory of 556 2028 Euro Swift Copy·PDF.scr 36 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Euro Swift Copy·PDF.scr"C:\Users\Admin\AppData\Local\Temp\Euro Swift Copy·PDF.scr" /S1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:308
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:676
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:556
-