Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2023, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-000112030687.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
RFQ-000112030687.exe
Resource
win10v2004-20230915-en
General
-
Target
RFQ-000112030687.exe
-
Size
365KB
-
MD5
61d3b0268ab312ad7183a693041e5566
-
SHA1
daf1c38ca56a0b8163aee55735cc1c34fa53de2b
-
SHA256
60d963ad6d64ed53b4ef360e0fb04cbd0ca8c17d8de0fa29263daa531fb572a6
-
SHA512
3cb7d33d8248296b3e3e9359d9e58fb57be11c1b3dc9186ec314039e0fee9802aab2f2dc82acaf5913cbef5b21a836a651f2853d8acf0e15cbebeb8fb825b2e0
-
SSDEEP
6144:BnPdudwDsbeDOZX9lCmKb7x2Du6Exoa4Kb73KxyxOEf0hLynPbZyvXNvWeAzFPrU:BnPdwbeDmt0r2D/E7PUy0BLyTZGNbqrw
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
pid Process 264 oegplt.exe 3448 oegplt.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oegplt.exe Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oegplt.exe Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oegplt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 264 set thread context of 3448 264 oegplt.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3448 oegplt.exe 3448 oegplt.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 264 oegplt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3448 oegplt.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2824 wrote to memory of 264 2824 RFQ-000112030687.exe 87 PID 2824 wrote to memory of 264 2824 RFQ-000112030687.exe 87 PID 2824 wrote to memory of 264 2824 RFQ-000112030687.exe 87 PID 264 wrote to memory of 3448 264 oegplt.exe 89 PID 264 wrote to memory of 3448 264 oegplt.exe 89 PID 264 wrote to memory of 3448 264 oegplt.exe 89 PID 264 wrote to memory of 3448 264 oegplt.exe 89 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oegplt.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oegplt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-000112030687.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-000112030687.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\oegplt.exe"C:\Users\Admin\AppData\Local\Temp\oegplt.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Users\Admin\AppData\Local\Temp\oegplt.exe"C:\Users\Admin\AppData\Local\Temp\oegplt.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3448
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD527556f9517e29655bfea6abed07d7531
SHA17bd274d4adf96f87b515e1bcf55adc58e5508775
SHA256df6b2ef31f293825aa7170e8f7821856ce33500baef4d1907e372b09be655796
SHA51290d39291d65d8dc7443208f1b940ca5c51cdd1cd686af00d714ff671de62479400bcfc9eded85ce40907316e27e5b9e84698f5ae9eacc218671a0bbce71b6826
-
Filesize
226KB
MD527556f9517e29655bfea6abed07d7531
SHA17bd274d4adf96f87b515e1bcf55adc58e5508775
SHA256df6b2ef31f293825aa7170e8f7821856ce33500baef4d1907e372b09be655796
SHA51290d39291d65d8dc7443208f1b940ca5c51cdd1cd686af00d714ff671de62479400bcfc9eded85ce40907316e27e5b9e84698f5ae9eacc218671a0bbce71b6826
-
Filesize
226KB
MD527556f9517e29655bfea6abed07d7531
SHA17bd274d4adf96f87b515e1bcf55adc58e5508775
SHA256df6b2ef31f293825aa7170e8f7821856ce33500baef4d1907e372b09be655796
SHA51290d39291d65d8dc7443208f1b940ca5c51cdd1cd686af00d714ff671de62479400bcfc9eded85ce40907316e27e5b9e84698f5ae9eacc218671a0bbce71b6826
-
Filesize
262KB
MD58be405c4fba40329c782151345c2e21f
SHA1874f2ce0c8e78296912fad600604c4cc3d1c76fc
SHA25613596e945f311a3aa6ce0e94d68e9b3dda745fd020c95f745b138c10a759e4df
SHA5125ae85084e3289e97ee1fd12d3a9d3a43bd6a41e199f987024ae42944a81ad6fad2b5c4d91ef993e17444f7850cd5823615178b6815df1041e732a965a413b2da