Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
-
submitted
05/07/2023, 01:11
General
-
Target
4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4.docx
-
Size
10KB
-
MD5
75b5fb86bd2cc8fc41d253b5b90a767f
-
SHA1
4370d24b51f5689172afe913527f76b276e5c0cc
-
SHA256
4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4
-
SHA512
6035561fa54da886b06331e8c53be563c1d16423c515b13141c3ed03ebad443fe613a6d0c68b7009a3cc49e0a987c4f3e1ae4d1330538e3b00867de7fec95a84
-
SSDEEP
192:Rya0N09FtWvARgZVPCK44AG9xXSJ+Ej7vJYtKwuKovDWYZcWe5F9u6:RyX09FtWvANK4499xXSJf7vJYtG6YZOT
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
tgpirxryibfagkfs - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4.docx"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obinier457846.exe"C:\Users\Admin\AppData\Roaming\obinier457846.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obinier457846.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\obinier457846.exe"C:\Users\Admin\AppData\Roaming\obinier457846.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\obinier457846.exe"C:\Users\Admin\AppData\Roaming\obinier457846.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD54cbd2d9ee8687e4d97e9e9331384a6b3
SHA12d0de682113873c4f6cfa9affe48722dbd2391a1
SHA25602e2db970994576f5bbd6ad0c099582f5c72d40dd6828b444c48b0ded0e738e5
SHA51272e88fb94ae5c92546e48db9782a7e4e31a0c95679616078c4d7404afdfa5af1bf55f3bf97a785fb3be034a9806b3e8c2d2deb1cc459f37cc7c190b5f7679669
-
Filesize
128KB
MD52b97e0d31a403c4200ed4fe65ef99833
SHA16294ef16482b9bdb8c86098a2031881c6e238051
SHA256c6791ac874733bbedc989f64a9e56873cd76d650e72a48d7a42e6167435355b5
SHA5123d3e84cce279410730dc0fee0f103ab06abf40b5c8db56bede99febdaf18c07d79bcbb6b03bd7c29fa18b358ffd88f126d0994f25472ee521a426f16906dcf41
-
Filesize
128KB
MD5c8b4beb207aa03eec59ff65c342810f4
SHA1c52820bd1f7ab956223a7029c78d0ff1ce0dddfb
SHA256943750a7396f42f75a4df1b491a4c1ea655a525cccc07a856cf1068e83375380
SHA5121294863315aa835fd1f7e9ae643790ca42ca09dd4e1692c3bcdbb36db20e13aace177b7e40ee35cf6c10b4e42040cb6d48fa8620f37c666d1f5424a6cd323124
-
Filesize
27KB
MD54ba517cee0b4e4c77e6178a1f77d862b
SHA11b5bb3efa1bb347352dc7bceae7bb55b0819eb91
SHA256741f2c4f961034604f560c89ada5369e772eac51def7ebd6b4ac7840f8d0562e
SHA512bf57232240e62a7957bb8081ad5355a392cdc6133766947e566614340b8ae96d2bc8ad6c38e2024a9096eb63ca491b8bb51dce8d76451e273c0a92dd0eb2f609
-
Filesize
128KB
MD537db371d13b5a78081e066bae7b11a9a
SHA16066fde0f5219450c53b6b1dc098539efe314974
SHA2564e3dd0a05a0ce54e8ae2d0a10d4048c7af00a352c95be1a9107227a3739a5077
SHA512d9b5ea61b5a61607e8ad8a0c7d0d52e2ca68f64d21e0ee7991a75b4775e8e0339fe570e5057e3d56c8ce32060d529220589d29d7d061b977f937923c673537a8
-
Filesize
57B
MD5e703f2159cad75a31759b2a55359281f
SHA141b6e0e9c8896aa7c934b9765300c6c65d2ecd59
SHA256db330a6567ad0ff2cf0396dfbbe973369f16a07a155ca6c8a2187afb7104d9ee
SHA512e0541fbf81cddc199d2111487d018ebae5f3dd291cdb765b0fe18e35b0f3f7846717bca15c71531d889ce041505fdb8e37df903ca993610b791c73ac4204eec7
-
Filesize
20KB
MD5a082c193e56600b7fc368b70d2cc1684
SHA1d16b11b36fec89063549f5c9b71c68b7497b6685
SHA256c0246ad46db9835f59b3e743c5ace993b85dc809122bada4a9b9d15e7e405186
SHA512049bd6c3b034a188f33e40ce5171b43e9c6efbc581af9ee308450514c491b2fa6383e701dac1730d4cdc8417dfbaae7ae0747c94bf378a3df9eb769afeb7381d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
706KB
MD5c1095a10913a5b0bf7952a253fc80d59
SHA1cef63c5a0e9a3f82524b9d7a7c04592e2eaf0a0b
SHA2567fa82e801a137ca5986e6d7544be241063e9bb46c5b03398b84a6a75acc52f1c
SHA512dccdc197d03268809d7827725af05584277bdbd3df5e37a264bdc50e1250709d9f7a991a453f29154db43c7c59a409a80dac231351bb1b94693d3bc70cc3856f
-
Filesize
706KB
MD5c1095a10913a5b0bf7952a253fc80d59
SHA1cef63c5a0e9a3f82524b9d7a7c04592e2eaf0a0b
SHA2567fa82e801a137ca5986e6d7544be241063e9bb46c5b03398b84a6a75acc52f1c
SHA512dccdc197d03268809d7827725af05584277bdbd3df5e37a264bdc50e1250709d9f7a991a453f29154db43c7c59a409a80dac231351bb1b94693d3bc70cc3856f
-
Filesize
706KB
MD5c1095a10913a5b0bf7952a253fc80d59
SHA1cef63c5a0e9a3f82524b9d7a7c04592e2eaf0a0b
SHA2567fa82e801a137ca5986e6d7544be241063e9bb46c5b03398b84a6a75acc52f1c
SHA512dccdc197d03268809d7827725af05584277bdbd3df5e37a264bdc50e1250709d9f7a991a453f29154db43c7c59a409a80dac231351bb1b94693d3bc70cc3856f
-
Filesize
706KB
MD5c1095a10913a5b0bf7952a253fc80d59
SHA1cef63c5a0e9a3f82524b9d7a7c04592e2eaf0a0b
SHA2567fa82e801a137ca5986e6d7544be241063e9bb46c5b03398b84a6a75acc52f1c
SHA512dccdc197d03268809d7827725af05584277bdbd3df5e37a264bdc50e1250709d9f7a991a453f29154db43c7c59a409a80dac231351bb1b94693d3bc70cc3856f
-
Filesize
706KB
MD5c1095a10913a5b0bf7952a253fc80d59
SHA1cef63c5a0e9a3f82524b9d7a7c04592e2eaf0a0b
SHA2567fa82e801a137ca5986e6d7544be241063e9bb46c5b03398b84a6a75acc52f1c
SHA512dccdc197d03268809d7827725af05584277bdbd3df5e37a264bdc50e1250709d9f7a991a453f29154db43c7c59a409a80dac231351bb1b94693d3bc70cc3856f
-
Filesize
706KB
MD5c1095a10913a5b0bf7952a253fc80d59
SHA1cef63c5a0e9a3f82524b9d7a7c04592e2eaf0a0b
SHA2567fa82e801a137ca5986e6d7544be241063e9bb46c5b03398b84a6a75acc52f1c
SHA512dccdc197d03268809d7827725af05584277bdbd3df5e37a264bdc50e1250709d9f7a991a453f29154db43c7c59a409a80dac231351bb1b94693d3bc70cc3856f
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
256KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
256KB
-
Filesize
192KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
728KB
-
Filesize
256KB
-
Filesize
424KB