Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
07/07/2023, 07:28
Static task
static1
Behavioral task
behavioral1
Sample
Order.xls
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
Order.xls
Resource
win10v2004-20230703-en
General
-
Target
Order.xls
-
Size
1.1MB
-
MD5
e61ef35786f8c9fc93775070a5fbeec5
-
SHA1
8ced2497907895641391537efdc9c9a354892a88
-
SHA256
9ef7b881397f3ad7d7c7a0b4fa8b4f5d88077df7327fad30a16e8ee633a282b1
-
SHA512
ca4ed78a94cf732cead859119e2f37ab394d8335911cc3797f23be74ff415d9bf766e139ff7da6e98ca3791b1f62b4a49053f1d980dc6eaeab2291c8873c93c0
-
SSDEEP
24576:GBlzWw6sIzvo0xfsjcUos+xKYw6s4zAo0xfsjcUos+xKw3dYjIqJPoaTwnx:wN6sI3xfsjdos+xKT6s4Axfsjdos+xKc
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1320 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1140 IBM_Centoss.exe 2016 IBM_Centoss.exe -
Loads dropped DLL 3 IoCs
pid Process 1320 EQNEDT32.EXE 1140 IBM_Centoss.exe 1140 IBM_Centoss.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 IBM_Centoss.exe Key opened \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 IBM_Centoss.exe Key opened \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 IBM_Centoss.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run\sOFvE = "C:\\Users\\Admin\\AppData\\Roaming\\sOFvE\\sOFvE.exe" IBM_Centoss.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1140 set thread context of 2016 1140 IBM_Centoss.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1320 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2060 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2016 IBM_Centoss.exe 2016 IBM_Centoss.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1140 IBM_Centoss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2016 IBM_Centoss.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2060 EXCEL.EXE 2060 EXCEL.EXE 2060 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1320 wrote to memory of 1140 1320 EQNEDT32.EXE 31 PID 1320 wrote to memory of 1140 1320 EQNEDT32.EXE 31 PID 1320 wrote to memory of 1140 1320 EQNEDT32.EXE 31 PID 1320 wrote to memory of 1140 1320 EQNEDT32.EXE 31 PID 1140 wrote to memory of 2016 1140 IBM_Centoss.exe 32 PID 1140 wrote to memory of 2016 1140 IBM_Centoss.exe 32 PID 1140 wrote to memory of 2016 1140 IBM_Centoss.exe 32 PID 1140 wrote to memory of 2016 1140 IBM_Centoss.exe 32 PID 1140 wrote to memory of 2016 1140 IBM_Centoss.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 IBM_Centoss.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 IBM_Centoss.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order.xls1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2060
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe"C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe"C:\Users\Admin\AppData\Local\Temp\IBM_Centoss.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2016
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD51fcb3f34b5588f6a647a06dff1811bf9
SHA11f5ef0e6e41c14795decedcefc883ab9000fac9a
SHA256a99e8172248dac0b2a6243d06a862901989857b0c2ecbed5f25ddb0d1a95154e
SHA51247e951583afff444f9adb09beab0d83f9792b46d3e1fabf05d21068218d64b3cba48e2dc22fe0a7bd3252a0e0c8866faa244b5dc3784bd336ecbc9f2924fb2aa
-
Filesize
374KB
MD5261fad7a9f8939250bf2c3c1406f0fe9
SHA1f7b1192b8d59ea40819a4501ec14c6bf4d447988
SHA256ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4
SHA51237c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af
-
Filesize
374KB
MD5261fad7a9f8939250bf2c3c1406f0fe9
SHA1f7b1192b8d59ea40819a4501ec14c6bf4d447988
SHA256ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4
SHA51237c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af
-
Filesize
374KB
MD5261fad7a9f8939250bf2c3c1406f0fe9
SHA1f7b1192b8d59ea40819a4501ec14c6bf4d447988
SHA256ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4
SHA51237c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af
-
Filesize
374KB
MD5261fad7a9f8939250bf2c3c1406f0fe9
SHA1f7b1192b8d59ea40819a4501ec14c6bf4d447988
SHA256ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4
SHA51237c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af
-
Filesize
374KB
MD5261fad7a9f8939250bf2c3c1406f0fe9
SHA1f7b1192b8d59ea40819a4501ec14c6bf4d447988
SHA256ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4
SHA51237c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af
-
Filesize
374KB
MD5261fad7a9f8939250bf2c3c1406f0fe9
SHA1f7b1192b8d59ea40819a4501ec14c6bf4d447988
SHA256ea05e4097011864ccb2556f12a4be7568129a8a456975c696aea0cfbc7372cf4
SHA51237c01f94f37203f4ce53dd4a4dcf0ffcddd686cae88cccbbe473f77678fd99cc3fa10b62ce33af35892fab87f99939f90768964d914b879ecf80ab055b6b06af
-
Filesize
255KB
MD55d24796b9dba9ef36b9af8c9b147e823
SHA13e960f30a586fef6fa26bc9387aba246321873e5
SHA25649e975c6069e643f38f87dc84e654752c4d13811c8d61d528187471033d6d876
SHA5127ce60939cf8908787d498823538bf00c820ec8a45ef9fa3c6824036016fd8784ed6a4e59345d4817e7b6f6ac3cfa3869433a0a4b0a3408f1f12bfcaaefe0037d