Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2023, 06:23
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-2023712_List.pdf.js
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
ORDER-2023712_List.pdf.js
Resource
win10v2004-20230703-en
General
-
Target
ORDER-2023712_List.pdf.js
-
Size
7KB
-
MD5
5a38171c53f1cab430fc10189ee816ba
-
SHA1
f5338253970c420bf79762a24baf9826428e4b05
-
SHA256
33bedb6621680b9442108ef0b9a191b75ea758aa4561e7c3f51c98c267b9453e
-
SHA512
2d2313c0e82f26c1f3ba9d5449cfaeec52c0c6e7b21171ab62fc41a638cac0af603ecf21e1c059775e7392e032b8f4ef03dc8160a7c25244b814a19e6cbb32a1
-
SSDEEP
192:gzl7EclLWXtZ1C49sUbo7SXAw7Eyf1GDeN2vbat7Wqm+:g0h
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
pifgweijlylkellk - Email To:
[email protected]
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
WSHRAT payload 2 IoCs
resource yara_rule behavioral2/files/0x00070000000231ee-143.dat family_wshrat behavioral2/files/0x00090000000231f0-144.dat family_wshrat -
Blocklisted process makes network request 30 IoCs
flow pid Process 5 4920 wscript.exe 9 4920 wscript.exe 11 4920 wscript.exe 30 1792 WScript.exe 32 1792 WScript.exe 35 1792 WScript.exe 42 1792 WScript.exe 43 1792 WScript.exe 44 1792 WScript.exe 54 1792 WScript.exe 55 1792 WScript.exe 56 1792 WScript.exe 57 1792 WScript.exe 58 1792 WScript.exe 61 1792 WScript.exe 64 1792 WScript.exe 69 1792 WScript.exe 70 1792 WScript.exe 71 1792 WScript.exe 75 1792 WScript.exe 76 1792 WScript.exe 77 1792 WScript.exe 90 1792 WScript.exe 91 1792 WScript.exe 92 1792 WScript.exe 93 1792 WScript.exe 94 1792 WScript.exe 95 1792 WScript.exe 96 1792 WScript.exe 101 1792 WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGFGYE.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGFGYE.vbs WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 4268 Tempwinlogon.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGFGYE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TGFGYE.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGFGYE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TGFGYE.vbs\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" Tempwinlogon.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings wscript.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings WScript.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4268 Tempwinlogon.exe 4268 Tempwinlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4268 Tempwinlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4268 Tempwinlogon.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4920 wrote to memory of 1792 4920 wscript.exe 86 PID 4920 wrote to memory of 1792 4920 wscript.exe 86 PID 1792 wrote to memory of 4124 1792 WScript.exe 89 PID 1792 wrote to memory of 4124 1792 WScript.exe 89 PID 4124 wrote to memory of 4268 4124 WScript.exe 92 PID 4124 wrote to memory of 4268 4124 WScript.exe 92 PID 4124 wrote to memory of 4268 4124 WScript.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-2023712_List.pdf.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TGFGYE.vbs"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4268
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323B
MD50c17abb0ed055fecf0c48bb6e46eb4eb
SHA1a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3
-
Filesize
558KB
MD5caec1686fe2f17ceb59db064b80a9b9c
SHA1de3fc1f6f4b94e327eb729a4290975e269f86fbe
SHA2560f7d03b6fe00c7ca6bf1a2325e65db44bdfafcd43397fdc52db335204eb129ac
SHA512375388568c6de97930605573528e3b064353a98eea3d73bf0fed72639dd248232c509d759b5cd0d6926ded263ca40e332d416364f72650bb8c873daa0d20d3b6
-
Filesize
331KB
MD5d593230ad945cc8c2db3237ff31624d4
SHA1a89e668a3026c2158b40489ddc8f211092472e1b
SHA256fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88
SHA512938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846
-
Filesize
165KB
MD5d78e00882aa872bb8daaa715d7014413
SHA1cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA25658fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6
-
Filesize
165KB
MD5d78e00882aa872bb8daaa715d7014413
SHA1cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA25658fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6
-
Filesize
165KB
MD5d78e00882aa872bb8daaa715d7014413
SHA1cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA25658fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6
-
Filesize
558KB
MD5caec1686fe2f17ceb59db064b80a9b9c
SHA1de3fc1f6f4b94e327eb729a4290975e269f86fbe
SHA2560f7d03b6fe00c7ca6bf1a2325e65db44bdfafcd43397fdc52db335204eb129ac
SHA512375388568c6de97930605573528e3b064353a98eea3d73bf0fed72639dd248232c509d759b5cd0d6926ded263ca40e332d416364f72650bb8c873daa0d20d3b6