Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

804152064.exe

windows7-x64

10

804152064.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2023, 08:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    804152064.exe

  • Size

    723KB

  • MD5

    331bc06d67e4078e0779a9a0a5d355b5

  • SHA1

    475924a69dee5e4a4ab1a66c944068fa2111db68

  • SHA256

    ad641230d3be8895193642d333ed88e1d6e94c209dfcb6c1932cd6a7f324a82f

  • SHA512

    8e30912ab46b825292955ad70f816a8a12171692272af563181630a4ec0e24de2dbb240c8cfbf666e6233fc9c58858d88de53164dde82a804066c842501c8fee

  • SSDEEP

    12288:sk+J/M+Jhewx/NscEQ+vgXK1HsaPbntTjlFhush1nPTs8HlaxYvR1toDvll2Hvk/:sl/thewlqB6pGjlfusbrs8UYvREblivu

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    triihope931@gmail.com
  • Password:
    iebtzpacgzyullvo
  • Email To:
    triihope931@gmail.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\804152064.exe
    "C:\Users\Admin\AppData\Local\Temp\804152064.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yZRXCHBD.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yZRXCHBD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF15.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:648
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:828
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
          PID:1268
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          2⤵
            PID:1516
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            2⤵
              PID:736
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              2⤵
              • Accesses Microsoft Outlook profiles
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:1420

          Network

          • flag-us
            DNS
            api.ipify.org
            MSBuild.exe
            Remote address:
            8.8.8.8:53
            Request
            api.ipify.org
            IN A
            Response
            api.ipify.org
            IN CNAME
            api4.ipify.org
            api4.ipify.org
            IN A
            104.237.62.211
            api4.ipify.org
            IN A
            64.185.227.155
            api4.ipify.org
            IN A
            173.231.16.76
          • 104.237.62.211:443
            api.ipify.org
            MSBuild.exe
            104 B
             2
          • 8.8.8.8:53
            api.ipify.org
            dns
            MSBuild.exe
            59 B
             126 B
             1
            1

            DNS Request

            api.ipify.org

            DNS Response

            104.237.62.211
            64.185.227.155
            173.231.16.76

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmpAF15.tmp
            Filesize

            1KB

            MD5

            1e2b98360a88b453a9dfca9e7456e75c

            SHA1

            41a28d863b3c4370e49ebb3cb8f3d02768248c83

            SHA256

            cfce83b59d5b375cc9083c5f85ec7461010f558a61fa190d35a1459d9df6d76a

            SHA512

            2fcf76c2ea190f4a91f630ea4e626b30aa67a606fbc24e26d56cfd0f24e2988b32a9b9b8ecea8c63e5875c28cad20470971f9899484ef181c2223d21911740c9

            Download Submit

          • memory/1420-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1420-75-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/1420-80-0x0000000002230000-0x0000000002270000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1420-78-0x0000000002230000-0x0000000002270000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1420-77-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/1420-71-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/1420-73-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/1420-68-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/1420-69-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/1420-70-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/1732-56-0x00000000002B0000-0x00000000002C2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1732-54-0x00000000008B0000-0x000000000096A000-memory.dmp

            Filesize

            744KB

            Download

          • memory/1732-65-0x00000000020D0000-0x0000000002102000-memory.dmp

            Filesize

            200KB

            Download

          • memory/1732-55-0x0000000004B40000-0x0000000004B80000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1732-59-0x0000000005F80000-0x0000000005FEA000-memory.dmp

            Filesize

            424KB

            Download

          • memory/1732-58-0x00000000003C0000-0x00000000003CC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1732-57-0x0000000004B40000-0x0000000004B80000-memory.dmp

            Filesize

            256KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.