Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2023, 14:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230703-en
General
-
Target
file.exe
-
Size
87KB
-
MD5
51594d6b7e82c4971ded4889197cc587
-
SHA1
f5271aa81fdd5fdad6c385b691788bb66bc576eb
-
SHA256
b2e3994ebb72e0dccce7114c073f2917889fa09a3036d21a0f7a8b715ea77a8d
-
SHA512
e22cca36abd573cdd3cab9a94def51a38be75b412b2d0b093c9312f7d45912f3c8645c386be218404715810fbfc65291f0b2d8fec34751e11667e8c0ebd88368
-
SSDEEP
1536:IkS07t1MVRZo4lgQ4Bj4ozyXt3sydyc4F9nY++cq7EQQ9dcfS95ct4KY6lLiHnJH:5SY8Vi23tmFpJq7OcS95c7leHR
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6381763542:AAGPjs0vqAwhS1NRGwd5klpiWT8aP65rMm4/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wyppn.vbs file.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 64 api.ipify.org 65 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2304 set thread context of 1888 2304 file.exe 97 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1888 file.exe 1888 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2304 file.exe Token: SeDebugPrivilege 1888 file.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1888 file.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2304 wrote to memory of 1888 2304 file.exe 97 PID 2304 wrote to memory of 1888 2304 file.exe 97 PID 2304 wrote to memory of 1888 2304 file.exe 97 PID 2304 wrote to memory of 1888 2304 file.exe 97 PID 2304 wrote to memory of 1888 2304 file.exe 97 PID 2304 wrote to memory of 1888 2304 file.exe 97 PID 2304 wrote to memory of 1888 2304 file.exe 97 PID 2304 wrote to memory of 1888 2304 file.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1888
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a13312e452bb67b8b110b6d7fbc6cf6f
SHA1057c5cc1d9b4c48eb1cb78463d8d7599f8fd8a50
SHA256d5e1315b62697659a967e9aaac291e96ab9cc7d90bab47bc30e6c338a81f479b
SHA5121e60ceb2af03e9eb8a347bf0ae2e57601ca82e51ec14962eba368393da46f939ff0429d54d59c8a90fbc8f32ed71c880634e0239ccc26c86c40496acdac7b9b0