Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
31/05/2023, 06:31
230531-g974xsdf9t 10Analysis
-
max time kernel
75s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31/05/2023, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
02035499.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
02035499.exe
Resource
win10v2004-20230220-en
General
-
Target
02035499.exe
-
Size
815KB
-
MD5
ea4a5870ea5b2417a6ac0bbc7cc44be3
-
SHA1
5e605904d1b0c797aac2b798319bb0c145a1b646
-
SHA256
202494911805344069ceb189e70db6f89e17f55febe24dc4f42b3736c5b457a4
-
SHA512
a96149dbfbce51b12c135428eefb05fa686d6fbf30e997c5e80ed3ae5f4f40bfb029aaf120ac43fbdb639ef876a6f20a32c5d904767349d4eedb62a29b4111d9
-
SSDEEP
12288:zAMTihh6xhZ6OrlZKZXzlKwkHaG0M+NHG12wQ0l2qaMMJfiRoCJqJ7gwJBT3qrb+:0MUgh8ylZKhRC5J2Qle9JKRFJZw
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
marcellinus360
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1848 set thread context of 1488 1848 02035499.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 508 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1980 powershell.exe 1488 RegSvcs.exe 1488 RegSvcs.exe 1488 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1488 RegSvcs.exe Token: SeDebugPrivilege 1980 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1488 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1848 wrote to memory of 1980 1848 02035499.exe 26 PID 1848 wrote to memory of 1980 1848 02035499.exe 26 PID 1848 wrote to memory of 1980 1848 02035499.exe 26 PID 1848 wrote to memory of 1980 1848 02035499.exe 26 PID 1848 wrote to memory of 508 1848 02035499.exe 28 PID 1848 wrote to memory of 508 1848 02035499.exe 28 PID 1848 wrote to memory of 508 1848 02035499.exe 28 PID 1848 wrote to memory of 508 1848 02035499.exe 28 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 PID 1848 wrote to memory of 1488 1848 02035499.exe 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02035499.exe"C:\Users\Admin\AppData\Local\Temp\02035499.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jibLAybKs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jibLAybKs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67C9.tmp"2⤵
- Creates scheduled task(s)
PID:508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1488
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5753f89f555ff6b75accf29f222c8edd5
SHA10214ad948620c3cbed5d66a1c87cc6a2f5b6f83f
SHA256f9e5d57af4190e02a1ae684f8a57744a6cc8af1a0fb6cf89e4a1661606147b9a
SHA51241b0fc34ce5d23fbdaffac75a3c8de1122982eec3decce4150f41790d58d66f5134cf423bcda250b0e47c7424366a4f1aa8c5a555f2a6870d89ba3ab49f2c91b