Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
23/08/2023, 13:12
Static task
static1
Behavioral task
behavioral1
Sample
overdue invoice pdf.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
overdue invoice pdf.exe
Resource
win10v2004-20230703-en
General
-
Target
overdue invoice pdf.exe
-
Size
847KB
-
MD5
a3976a8131593cd5f257e1609cba021c
-
SHA1
1e761268105bc1613d697d9941447c3241463029
-
SHA256
0f350d7a72e30d6fa7234e953e127b426ffabb6960446a90a53d6c0dd6392138
-
SHA512
d8b5c3b2d39b1fe89a5db1fc273527c163ebac5f2933799cc279b76def0eecd7e3047bb29b0b7c9feb6b6fe92ca8d302e52cd277da08f07f75f1676d0dac75eb
-
SSDEEP
12288:LUVv25w+n42d1mbTzFgaJmv3xnPBtDPLd4o8wTrQ2lIC6swoeXGkDkNMw+gtYaIS:LdcBmvxLLFHIvtXGkDkSwvYmZf
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vpindustries.co.in - Port:
587 - Username:
[email protected] - Password:
saleS*9988 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\RdYoK = "C:\\Users\\Admin\\AppData\\Roaming\\RdYoK\\RdYoK.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2600 set thread context of 2132 2600 overdue invoice pdf.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2600 overdue invoice pdf.exe 2600 overdue invoice pdf.exe 2984 powershell.exe 2012 powershell.exe 2600 overdue invoice pdf.exe 2600 overdue invoice pdf.exe 2600 overdue invoice pdf.exe 2132 RegSvcs.exe 2132 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2600 overdue invoice pdf.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 2132 RegSvcs.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2984 2600 overdue invoice pdf.exe 30 PID 2600 wrote to memory of 2984 2600 overdue invoice pdf.exe 30 PID 2600 wrote to memory of 2984 2600 overdue invoice pdf.exe 30 PID 2600 wrote to memory of 2984 2600 overdue invoice pdf.exe 30 PID 2600 wrote to memory of 2012 2600 overdue invoice pdf.exe 32 PID 2600 wrote to memory of 2012 2600 overdue invoice pdf.exe 32 PID 2600 wrote to memory of 2012 2600 overdue invoice pdf.exe 32 PID 2600 wrote to memory of 2012 2600 overdue invoice pdf.exe 32 PID 2600 wrote to memory of 2884 2600 overdue invoice pdf.exe 34 PID 2600 wrote to memory of 2884 2600 overdue invoice pdf.exe 34 PID 2600 wrote to memory of 2884 2600 overdue invoice pdf.exe 34 PID 2600 wrote to memory of 2884 2600 overdue invoice pdf.exe 34 PID 2600 wrote to memory of 2700 2600 overdue invoice pdf.exe 36 PID 2600 wrote to memory of 2700 2600 overdue invoice pdf.exe 36 PID 2600 wrote to memory of 2700 2600 overdue invoice pdf.exe 36 PID 2600 wrote to memory of 2700 2600 overdue invoice pdf.exe 36 PID 2600 wrote to memory of 2700 2600 overdue invoice pdf.exe 36 PID 2600 wrote to memory of 2700 2600 overdue invoice pdf.exe 36 PID 2600 wrote to memory of 2700 2600 overdue invoice pdf.exe 36 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37 PID 2600 wrote to memory of 2132 2600 overdue invoice pdf.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\overdue invoice pdf.exe"C:\Users\Admin\AppData\Local\Temp\overdue invoice pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\overdue invoice pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\artlkRu.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\artlkRu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp14B9.tmp"2⤵
- Creates scheduled task(s)
PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD599733f193fccd8fb39e584269104d6e3
SHA13264487f6a5e3f0f366170a279e079415dc328ce
SHA256875898d28472f800aed52cb3ab1f4a99ac662cd3e3588c9a951e214d08e50f52
SHA512dc2651ec97db4541d477915a415fcfdc10683440e9d69230e9e83965c538494208364de289ff1448e397aae54ca065984535bdec36e8319f45dd67584a138166
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6CAV34SFG2A5KTZ4QXQ8.temp
Filesize7KB
MD50211855bb477b089f5bb25e44f19839e
SHA168caf658e74e7d55180c6bb0224d2c670a3cc4f8
SHA25698449db521151fccaa8a6089c738973f2cbe8706f563c5dc2e7ccaace89f2076
SHA5125aea6fcaeec2ac646e63db8dcd0bab1b00703a1cb2f05f847acb4dbd9e46596b4a5db65c54fc8f9dd68db35b3f41b199d837d098331f968ddde855432a83334c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50211855bb477b089f5bb25e44f19839e
SHA168caf658e74e7d55180c6bb0224d2c670a3cc4f8
SHA25698449db521151fccaa8a6089c738973f2cbe8706f563c5dc2e7ccaace89f2076
SHA5125aea6fcaeec2ac646e63db8dcd0bab1b00703a1cb2f05f847acb4dbd9e46596b4a5db65c54fc8f9dd68db35b3f41b199d837d098331f968ddde855432a83334c