Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12/06/2023, 11:17
Static task
static1
Behavioral task
behavioral1
Sample
hesaphareketi-01.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
hesaphareketi-01.exe
Resource
win10v2004-20230221-en
General
-
Target
hesaphareketi-01.exe
-
Size
933KB
-
MD5
2093282857be724c339ce27bb5cdc633
-
SHA1
26ffdf9709e6ca7f4ac422597806f842bbeea080
-
SHA256
06b2ab16e068ff058fd7b142d331ca7b694c4a311320c6a6aaee7acdd38b2402
-
SHA512
f93d6121c20c81667ed476e13df4f8945833be3219ee46a7d72b4c4d59a6cd9453abb298b1f60c92c90a75fdf9d857c9e2c99e43dcb493c69010005bacabcf96
-
SSDEEP
24576:1iOV/NOaXez2URyzwc/787XDSA2ieOwFmBCZhEJB:1iOV/NOas2A+5qXOA2vOAoCZhEJB
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.redseatransportuae.com - Port:
587 - Username:
[email protected] - Password:
method10@10 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hesaphareketi-01.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hesaphareketi-01.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hesaphareketi-01.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 308 set thread context of 1660 308 hesaphareketi-01.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1236 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 308 hesaphareketi-01.exe 308 hesaphareketi-01.exe 308 hesaphareketi-01.exe 308 hesaphareketi-01.exe 308 hesaphareketi-01.exe 308 hesaphareketi-01.exe 308 hesaphareketi-01.exe 308 hesaphareketi-01.exe 308 hesaphareketi-01.exe 308 hesaphareketi-01.exe 1772 powershell.exe 664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 308 hesaphareketi-01.exe Token: SeDebugPrivilege 1660 hesaphareketi-01.exe Token: SeDebugPrivilege 664 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1660 hesaphareketi-01.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 308 wrote to memory of 1772 308 hesaphareketi-01.exe 27 PID 308 wrote to memory of 1772 308 hesaphareketi-01.exe 27 PID 308 wrote to memory of 1772 308 hesaphareketi-01.exe 27 PID 308 wrote to memory of 1772 308 hesaphareketi-01.exe 27 PID 308 wrote to memory of 664 308 hesaphareketi-01.exe 29 PID 308 wrote to memory of 664 308 hesaphareketi-01.exe 29 PID 308 wrote to memory of 664 308 hesaphareketi-01.exe 29 PID 308 wrote to memory of 664 308 hesaphareketi-01.exe 29 PID 308 wrote to memory of 1236 308 hesaphareketi-01.exe 32 PID 308 wrote to memory of 1236 308 hesaphareketi-01.exe 32 PID 308 wrote to memory of 1236 308 hesaphareketi-01.exe 32 PID 308 wrote to memory of 1236 308 hesaphareketi-01.exe 32 PID 308 wrote to memory of 1660 308 hesaphareketi-01.exe 33 PID 308 wrote to memory of 1660 308 hesaphareketi-01.exe 33 PID 308 wrote to memory of 1660 308 hesaphareketi-01.exe 33 PID 308 wrote to memory of 1660 308 hesaphareketi-01.exe 33 PID 308 wrote to memory of 1660 308 hesaphareketi-01.exe 33 PID 308 wrote to memory of 1660 308 hesaphareketi-01.exe 33 PID 308 wrote to memory of 1660 308 hesaphareketi-01.exe 33 PID 308 wrote to memory of 1660 308 hesaphareketi-01.exe 33 PID 308 wrote to memory of 1660 308 hesaphareketi-01.exe 33 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hesaphareketi-01.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hesaphareketi-01.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yCvQvUdcrILv.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yCvQvUdcrILv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCED.tmp"2⤵
- Creates scheduled task(s)
PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1660
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58250f81c24079343820d2ddc6862bb53
SHA1d2ba29b242162ee2d1f36d0429211f1c558b0ff4
SHA2563610e9753b528542a50e752e969a6afb7c2e32c38b16b9f38a25e32567726926
SHA5126ae1dbe7ed385a8e5b5968e59d2cb826078612b393ca6d697c0184bcfabfcf0539f92f8f8f6768ef1df1bb8acc7eac00ff1d3102dcd0388d9204a5d1347166cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HR3UBRFXBUGK660Y8M7J.temp
Filesize7KB
MD5d9945ba36a40286322860680798461be
SHA150ec8dc4f8417dcda66035a512f07a6b1a4e9330
SHA256a225a8c3e5be07ade52137a02e4934440f088cfe2470efce458e196573c477d5
SHA512c824ada60e87e4df4e8a401ca6071fc7d0633b2bacaae3650dfefdae8e45526fc29fff21fedc1ae38702a71a64b3a3e4621c34276a04b93cfcb8ab4b9c106971
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d9945ba36a40286322860680798461be
SHA150ec8dc4f8417dcda66035a512f07a6b1a4e9330
SHA256a225a8c3e5be07ade52137a02e4934440f088cfe2470efce458e196573c477d5
SHA512c824ada60e87e4df4e8a401ca6071fc7d0633b2bacaae3650dfefdae8e45526fc29fff21fedc1ae38702a71a64b3a3e4621c34276a04b93cfcb8ab4b9c106971