Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

controvoke2.1.exe

windows7-x64

10

controvoke2.1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    28/08/2023, 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    controvoke2.1.exe

  • Size

    411KB

  • MD5

    3c235c238a38a7dc10d78f0ba080587f

  • SHA1

    c3793be872f2621f25aa858391657967a749eed2

  • SHA256

    11e6f0a94e14abfea4bdbde34de5d22b2428775f23a5ecf32c0382d9b4e23e0f

  • SHA512

    180ac1fb17e1909041897bed7ca9301c2a4b75a251be815b6ff215e05a37aee85685fbc8b59552f956fd97a9f25ab658a4584f777b26f72caa3291c79e340959

  • SSDEEP

    12288:2YdrUBonHv0ExODZoyXqqT4yX8TpiImGVeBsg:2YFUo/xmZMbMWVlg

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\controvoke2.1.exe
    "C:\Users\Admin\AppData\Local\Temp\controvoke2.1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe
      "C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe
        "C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pptve.eqc
    Filesize

    336KB

    MD5

    9eb099e5c928e2be363652590e021ad1

    SHA1

    36d6add7395bc509737ae10a0d0ae1b9e33eaf71

    SHA256

    fc5242d4904704be57768e996fe494ace2aa6d933138f5acf6841a36f429504d

    SHA512

    3ba00ce003a70a6c31ebdd6da73886a09e72cea2b2d3bde7d8280f714ff0103c90eaecbf0251c2f42532ae7065c92f766f4776f60e8037c3117bd3765a6318d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe
    Filesize

    180KB

    MD5

    94b2ea1a3022b923e5af0eb721b41f83

    SHA1

    babcaa8f79d14fda035808a372101d6a3d370789

    SHA256

    ce54f7b569b8b8308fbffa1944569606c8eb6e65547a901256b059367c163bbf

    SHA512

    16a6fa5e98adca3aec5c3ce628829eda2f0b0342709f9457b17c7012e5f2649b6968a5db18ea42945cb898a426a40bcb34ad4d53412e1ef1c7c579f339c7ed1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe
    Filesize

    180KB

    MD5

    94b2ea1a3022b923e5af0eb721b41f83

    SHA1

    babcaa8f79d14fda035808a372101d6a3d370789

    SHA256

    ce54f7b569b8b8308fbffa1944569606c8eb6e65547a901256b059367c163bbf

    SHA512

    16a6fa5e98adca3aec5c3ce628829eda2f0b0342709f9457b17c7012e5f2649b6968a5db18ea42945cb898a426a40bcb34ad4d53412e1ef1c7c579f339c7ed1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe
    Filesize

    180KB

    MD5

    94b2ea1a3022b923e5af0eb721b41f83

    SHA1

    babcaa8f79d14fda035808a372101d6a3d370789

    SHA256

    ce54f7b569b8b8308fbffa1944569606c8eb6e65547a901256b059367c163bbf

    SHA512

    16a6fa5e98adca3aec5c3ce628829eda2f0b0342709f9457b17c7012e5f2649b6968a5db18ea42945cb898a426a40bcb34ad4d53412e1ef1c7c579f339c7ed1e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\zuwafjld.exe
    Filesize

    180KB

    MD5

    94b2ea1a3022b923e5af0eb721b41f83

    SHA1

    babcaa8f79d14fda035808a372101d6a3d370789

    SHA256

    ce54f7b569b8b8308fbffa1944569606c8eb6e65547a901256b059367c163bbf

    SHA512

    16a6fa5e98adca3aec5c3ce628829eda2f0b0342709f9457b17c7012e5f2649b6968a5db18ea42945cb898a426a40bcb34ad4d53412e1ef1c7c579f339c7ed1e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\zuwafjld.exe
    Filesize

    180KB

    MD5

    94b2ea1a3022b923e5af0eb721b41f83

    SHA1

    babcaa8f79d14fda035808a372101d6a3d370789

    SHA256

    ce54f7b569b8b8308fbffa1944569606c8eb6e65547a901256b059367c163bbf

    SHA512

    16a6fa5e98adca3aec5c3ce628829eda2f0b0342709f9457b17c7012e5f2649b6968a5db18ea42945cb898a426a40bcb34ad4d53412e1ef1c7c579f339c7ed1e

    Download Submit

  • memory/1868-14-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1868-10-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1868-15-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1868-17-0x0000000074940000-0x000000007502E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1868-16-0x0000000004450000-0x0000000004492000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1868-18-0x00000000044C0000-0x0000000004500000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1868-19-0x00000000044C0000-0x0000000004500000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1868-20-0x00000000044C0000-0x0000000004500000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1868-21-0x0000000074940000-0x000000007502E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3000-6-0x00000000001D0000-0x00000000001D2000-memory.dmp

    Filesize

    8KB

    Download