Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2023, 07:28

General

  • Target

    Order.xls

  • Size

    1.1MB

  • MD5

    e61ef35786f8c9fc93775070a5fbeec5

  • SHA1

    8ced2497907895641391537efdc9c9a354892a88

  • SHA256

    9ef7b881397f3ad7d7c7a0b4fa8b4f5d88077df7327fad30a16e8ee633a282b1

  • SHA512

    ca4ed78a94cf732cead859119e2f37ab394d8335911cc3797f23be74ff415d9bf766e139ff7da6e98ca3791b1f62b4a49053f1d980dc6eaeab2291c8873c93c0

  • SSDEEP

    24576:GBlzWw6sIzvo0xfsjcUos+xKYw6s4zAo0xfsjcUos+xKw3dYjIqJPoaTwnx:wN6sI3xfsjdos+xKT6s4Axfsjdos+xKc

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order.xls
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2060
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe
      "C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe
        "C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B29D8C40.emf

    Filesize

    1.4MB

    MD5

    1fcb3f34b5588f6a647a06dff1811bf9

    SHA1

    1f5ef0e6e41c14795decedcefc883ab9000fac9a

    SHA256

    a99e8172248dac0b2a6243d06a862901989857b0c2ecbed5f25ddb0d1a95154e

    SHA512

    47e951583afff444f9adb09beab0d83f9792b46d3e1fabf05d21068218d64b3cba48e2dc22fe0a7bd3252a0e0c8866faa244b5dc3784bd336ecbc9f2924fb2aa

  • C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe

    Filesize

    374KB

    MD5

    261fad7a9f8939250bf2c3c1406f0fe9

    SHA1

    f7b1192b8d59ea40819a4501ec14c6bf4d447988

    SHA256

    ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4

    SHA512

    37c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af

  • C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe

    Filesize

    374KB

    MD5

    261fad7a9f8939250bf2c3c1406f0fe9

    SHA1

    f7b1192b8d59ea40819a4501ec14c6bf4d447988

    SHA256

    ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4

    SHA512

    37c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af

  • C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe

    Filesize

    374KB

    MD5

    261fad7a9f8939250bf2c3c1406f0fe9

    SHA1

    f7b1192b8d59ea40819a4501ec14c6bf4d447988

    SHA256

    ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4

    SHA512

    37c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af

  • C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe

    Filesize

    374KB

    MD5

    261fad7a9f8939250bf2c3c1406f0fe9

    SHA1

    f7b1192b8d59ea40819a4501ec14c6bf4d447988

    SHA256

    ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4

    SHA512

    37c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af

  • \Users\Admin\AppData\Local\Temp\IBM_Centoss.exe

    Filesize

    374KB

    MD5

    261fad7a9f8939250bf2c3c1406f0fe9

    SHA1

    f7b1192b8d59ea40819a4501ec14c6bf4d447988

    SHA256

    ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4

    SHA512

    37c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af

  • \Users\Admin\AppData\Local\Temp\IBM_Centoss.exe

    Filesize

    374KB

    MD5

    261fad7a9f8939250bf2c3c1406f0fe9

    SHA1

    f7b1192b8d59ea40819a4501ec14c6bf4d447988

    SHA256

    ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4

    SHA512

    37c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af

  • \Users\Admin\AppData\Local\Temp\nsz4695.tmp\vfdhf.dll

    Filesize

    255KB

    MD5

    5d24796b9dba9ef36b9af8c9b147e823

    SHA1

    3e960f30a586fef6fa26bc9387aba246321873e5

    SHA256

    49e975c6069e643f38f87dc84e654752c4d13811c8d61d528187471033d6d876

    SHA512

    7ce60939cf8908787d498823538bf00c820ec8a45ef9fa3c6824036016fd8784ed6a4e59345d4817e7b6f6ac3cfa3869433a0a4b0a3408f1f12bfcaaefe0037d

  • memory/2016-78-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/2016-81-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/2016-82-0x0000000001FE0000-0x0000000002010000-memory.dmp

    Filesize

    192KB

  • memory/2016-84-0x0000000004600000-0x0000000004640000-memory.dmp

    Filesize

    256KB

  • memory/2016-85-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

  • memory/2016-86-0x0000000004600000-0x0000000004640000-memory.dmp

    Filesize

    256KB

  • memory/2016-88-0x0000000004600000-0x0000000004640000-memory.dmp

    Filesize

    256KB

  • memory/2060-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2060-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB