Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2023, 10:58
Static task
static1
Behavioral task
behavioral1
Sample
BANK COPY.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
BANK COPY.exe
Resource
win10v2004-20230831-en
General
-
Target
BANK COPY.exe
-
Size
549KB
-
MD5
cc9408eff115ec6b750c751d1fc1093f
-
SHA1
559f96055dafaa4e46e0b594a5b748687dabbe8c
-
SHA256
2985214c0fbae1739d06009de458f7c2c1b38d4057f9a841e00922abe2c55103
-
SHA512
5aab5ad46b687930d17895fe44522b3930f2798c87af59c54b0587ec51fe73788027e82c3d81ed87ce7ab7db37d36bf1ab9cbbe56ba7ec4f699a3efec6fa99e6
-
SSDEEP
12288:EPsCaf/JbuqHHuE1dS68Fd58sDlN/q/afcJetqd6kuPjaz:uaf/J5uIS6818sLaCYd07az
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
kV$bSqJ1 daniel - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation BANK COPY.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BANK COPY.exe Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BANK COPY.exe Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BANK COPY.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sOFvE = "C:\\Users\\Admin\\AppData\\Roaming\\sOFvE\\sOFvE.exe" BANK COPY.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 46 api.ipify.org 45 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3396 set thread context of 2828 3396 BANK COPY.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3396 BANK COPY.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3396 BANK COPY.exe Token: SeDebugPrivilege 2828 BANK COPY.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3396 wrote to memory of 4840 3396 BANK COPY.exe 90 PID 3396 wrote to memory of 4840 3396 BANK COPY.exe 90 PID 3396 wrote to memory of 4840 3396 BANK COPY.exe 90 PID 3396 wrote to memory of 2828 3396 BANK COPY.exe 92 PID 3396 wrote to memory of 2828 3396 BANK COPY.exe 92 PID 3396 wrote to memory of 2828 3396 BANK COPY.exe 92 PID 3396 wrote to memory of 2828 3396 BANK COPY.exe 92 PID 3396 wrote to memory of 2828 3396 BANK COPY.exe 92 PID 3396 wrote to memory of 2828 3396 BANK COPY.exe 92 PID 3396 wrote to memory of 2828 3396 BANK COPY.exe 92 PID 3396 wrote to memory of 2828 3396 BANK COPY.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BANK COPY.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BANK COPY.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BANK COPY.exe"C:\Users\Admin\AppData\Local\Temp\BANK COPY.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDzJoA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F34.tmp"2⤵
- Creates scheduled task(s)
PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\BANK COPY.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD516de2b30353afd5b2cd2ef8072a4819d
SHA18401f54747dfc992cef675285f5627a377ecafb2
SHA2562b2649bbc9fa465878ffbf51e2192e7aff94d17e5f232d77d937bf5026a9bf1b
SHA5122d09aa8af628500ee50a8c89aa38d2a096cb046570a2ca7fad1f3596b0a49a9224439b1ed659191e5dd79c5aa70e3c693fb4437c75475fa54ec505c62d3dd598
-
Filesize
1KB
MD5bb553d63e62f94687a52f0c1e6778d9d
SHA12dd205db3d74a3108624c69b935cacfb82d0ee47
SHA2562c021ba8c230107a88101ff8735d9a34dacccebf63be785007fe0c2d1992b4a7
SHA5120b2cc99b0ab8713fc7c2c9f272e871b4159f125ee790542bf174dee365890b30e9817ba57528177f87d3896d7548bd6da969f06a6e75d9bb421fde51faf6fbae