Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26/05/2023, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
PO451033201.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO451033201.exe
Resource
win10v2004-20230220-en
General
-
Target
PO451033201.exe
-
Size
682KB
-
MD5
b8fcfd276053dd90813c19413a9710f8
-
SHA1
056da263b91468fbb92ca4fe65df474d01ee5725
-
SHA256
577593e5d16e4c0439339d4345505db0eb1595670ebdb271feaeaab510fd8b56
-
SHA512
ef997362df0697f700d96cdceab857417e06f1b5547260d55893ac5545a736356b123b9eff45eccec1a5cdb1488a47a1e606f79c4f41cd3d28621f2a4c5eb190
-
SSDEEP
12288:nK37z5GoJiGaq5auy+mHDgZSq/TAWzFJqJugzzjQyENH6N:q5GoR5aj+mHUZSq/NYvOgN
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6277498666:AAH4URlmeSysUKKZG20OTvrve55BRMLEu_o/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO451033201.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO451033201.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO451033201.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2040 set thread context of 868 2040 PO451033201.exe 28 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 868 PO451033201.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2040 wrote to memory of 868 2040 PO451033201.exe 28 PID 2040 wrote to memory of 868 2040 PO451033201.exe 28 PID 2040 wrote to memory of 868 2040 PO451033201.exe 28 PID 2040 wrote to memory of 868 2040 PO451033201.exe 28 PID 2040 wrote to memory of 868 2040 PO451033201.exe 28 PID 2040 wrote to memory of 868 2040 PO451033201.exe 28 PID 2040 wrote to memory of 868 2040 PO451033201.exe 28 PID 2040 wrote to memory of 868 2040 PO451033201.exe 28 PID 2040 wrote to memory of 868 2040 PO451033201.exe 28 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO451033201.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO451033201.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO451033201.exe"C:\Users\Admin\AppData\Local\Temp\PO451033201.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\PO451033201.exe"C:\Users\Admin\AppData\Local\Temp\PO451033201.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:868
-