Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
PURCHASE.exe
Resource
win10v2004-20230915-en
General
-
Target
PURCHASE.exe
-
Size
589KB
-
MD5
f4f17865d15852d7ca7acc8a3458e3ba
-
SHA1
041a89729db626b52ccb6734a543d24775206edc
-
SHA256
fa6cfed07797c6a3fc1962de2c17bc2065431f4fdfa209b77d8a7f28051ec2d8
-
SHA512
b386f95445caa17be17e145daf3defa745a156cad2764b8b7819da055ae4429c5b52787835bd5f53ce0c7d0627e395197e77874ea0837e2ef516b837e6c7646d
-
SSDEEP
12288:0725B9c4klaJEJ/hbedok6Vl+zTE40UvuPyHn+9YVFa7WkERBgahOhB:Htc4klKE5hbSokmAQ4Dvu6+7cgrB
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.rimiapparelsltd.com - Port:
587 - Username:
[email protected] - Password:
Everest10@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PURCHASE.exe Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PURCHASE.exe Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PURCHASE.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2764 set thread context of 2948 2764 PURCHASE.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2560 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2764 PURCHASE.exe 2764 PURCHASE.exe 2764 PURCHASE.exe 2764 PURCHASE.exe 2764 PURCHASE.exe 2764 PURCHASE.exe 2764 PURCHASE.exe 2764 PURCHASE.exe 2764 PURCHASE.exe 2776 powershell.exe 2500 powershell.exe 2948 PURCHASE.exe 2948 PURCHASE.exe 2948 PURCHASE.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2764 PURCHASE.exe Token: SeDebugPrivilege 2948 PURCHASE.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2948 PURCHASE.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2776 2764 PURCHASE.exe 30 PID 2764 wrote to memory of 2776 2764 PURCHASE.exe 30 PID 2764 wrote to memory of 2776 2764 PURCHASE.exe 30 PID 2764 wrote to memory of 2776 2764 PURCHASE.exe 30 PID 2764 wrote to memory of 2500 2764 PURCHASE.exe 32 PID 2764 wrote to memory of 2500 2764 PURCHASE.exe 32 PID 2764 wrote to memory of 2500 2764 PURCHASE.exe 32 PID 2764 wrote to memory of 2500 2764 PURCHASE.exe 32 PID 2764 wrote to memory of 2560 2764 PURCHASE.exe 34 PID 2764 wrote to memory of 2560 2764 PURCHASE.exe 34 PID 2764 wrote to memory of 2560 2764 PURCHASE.exe 34 PID 2764 wrote to memory of 2560 2764 PURCHASE.exe 34 PID 2764 wrote to memory of 2940 2764 PURCHASE.exe 36 PID 2764 wrote to memory of 2940 2764 PURCHASE.exe 36 PID 2764 wrote to memory of 2940 2764 PURCHASE.exe 36 PID 2764 wrote to memory of 2940 2764 PURCHASE.exe 36 PID 2764 wrote to memory of 2952 2764 PURCHASE.exe 37 PID 2764 wrote to memory of 2952 2764 PURCHASE.exe 37 PID 2764 wrote to memory of 2952 2764 PURCHASE.exe 37 PID 2764 wrote to memory of 2952 2764 PURCHASE.exe 37 PID 2764 wrote to memory of 2948 2764 PURCHASE.exe 38 PID 2764 wrote to memory of 2948 2764 PURCHASE.exe 38 PID 2764 wrote to memory of 2948 2764 PURCHASE.exe 38 PID 2764 wrote to memory of 2948 2764 PURCHASE.exe 38 PID 2764 wrote to memory of 2948 2764 PURCHASE.exe 38 PID 2764 wrote to memory of 2948 2764 PURCHASE.exe 38 PID 2764 wrote to memory of 2948 2764 PURCHASE.exe 38 PID 2764 wrote to memory of 2948 2764 PURCHASE.exe 38 PID 2764 wrote to memory of 2948 2764 PURCHASE.exe 38 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PURCHASE.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PURCHASE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WZHBzFGpfQhw.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WZHBzFGpfQhw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF21C.tmp"2⤵
- Creates scheduled task(s)
PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"2⤵PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"2⤵PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51deb8624625232b26c2d7b5ddf3eb55e
SHA13df14d1ffeac5065e854b2755918c466c19ff70b
SHA256715c7ba8c430b7c8ce1a0bf467a6e15a64f0502e657b9d6fd237983db1ea5859
SHA51266c9c0d5a96afb32136b7284dbf511e4ac0c3b613c1120cd3ee892413aa9bc2ace83974f1d85601aa9080a7448f320734b199816f18b7a949ad7c9773bdba712
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6WIF523TFX7T3S4FCGIJ.temp
Filesize7KB
MD5726ca037514222748d44d26a27ea71b6
SHA1c95c64d635a2bd9e05779f50f692ae7671b47eec
SHA256fa36ac0d15fce1d3c7829fd125c93878c1dca77f25ac8de91ef6e26e285d341c
SHA512424cb447e445ebd10ce76cc73b96adf410a9cda5d81a3672d3b893a8471a4ea439d3604b770605cd375712dc2e7df7a539fd974127862bbfc0f4c0f4abf70eec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5726ca037514222748d44d26a27ea71b6
SHA1c95c64d635a2bd9e05779f50f692ae7671b47eec
SHA256fa36ac0d15fce1d3c7829fd125c93878c1dca77f25ac8de91ef6e26e285d341c
SHA512424cb447e445ebd10ce76cc73b96adf410a9cda5d81a3672d3b893a8471a4ea439d3604b770605cd375712dc2e7df7a539fd974127862bbfc0f4c0f4abf70eec