Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

231121-01-...d4.exe

windows7-x64

10

231121-01-...d4.exe

windows10-2004-x64

10

231121-02-...4c.exe

windows7-x64

10

231121-02-...4c.exe

windows10-2004-x64

10

231121-03-...94.exe

windows7-x64

10

231121-03-...94.exe

windows10-2004-x64

10

231121-04-...05.exe

windows7-x64

10

231121-04-...05.exe

windows10-2004-x64

10

231121-05-...29.exe

windows7-x64

10

231121-05-...29.exe

windows10-2004-x64

10

231121-06-...a6.exe

windows7-x64

10

231121-06-...a6.exe

windows10-2004-x64

10

231121-07-...6a.exe

windows7-x64

10

231121-07-...6a.exe

windows10-2004-x64

10

231121-08-...84.exe

windows7-x64

10

231121-08-...84.exe

windows10-2004-x64

10

231121-09-...c4.exe

windows7-x64

10

231121-09-...c4.exe

windows10-2004-x64

10

231121-10-...ec.exe

windows7-x64

10

231121-10-...ec.exe

windows10-2004-x64

10

231121-11-...bc.exe

windows7-x64

10

231121-11-...bc.exe

windows10-2004-x64

10

231121-12-...1d.exe

windows7-x64

10

231121-12-...1d.exe

windows10-2004-x64

10

231121-13-...5e.exe

windows7-x64

10

231121-13-...5e.exe

windows10-2004-x64

10

231121-14-...29.exe

windows7-x64

10

231121-14-...29.exe

windows10-2004-x64

10

231121-15-...f4.exe

windows7-x64

3

231121-15-...f4.exe

windows10-2004-x64

10

231121-16-...00.exe

windows7-x64

10

231121-16-...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2023, 02:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    231121-01-AgentTesla-4f4bd4.exe

  • Size

    890KB

  • MD5

    73af2b313925da0e49f1c99e1b51ec4b

  • SHA1

    4f4bd4f230b2d2bc6f140d38f8c301a3264747a0

  • SHA256

    bf91852588010cca4ca8aa2f419531df69a6e5454f471ebb2e862c17b99e5724

  • SHA512

    1c7ab9854266a275376ce0134d356702749f6ce8168fee0301c8140867d30384c4f5521c1212c71aba2eea0cee3600bbe9bd6311ac721219acb52c46b1c3c6f7

  • SSDEEP

    24576:ve4ucqeAete6Fnj5k359f5fHi/dkGxris1q:3ucN3Fnjw53exel

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.bezzleauto.com
  • Port:
    587
  • Username:
    service@bezzleauto.com
  • Password:
    kex#-rHjHM4qKk52
  • Email To:
    avril.chen@bezzleauto.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\231121-01-AgentTesla-4f4bd4.exe
    "C:\Users\Admin\AppData\Local\Temp\231121-01-AgentTesla-4f4bd4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\231121-01-AgentTesla-4f4bd4.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yoLxZmTZYPo.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yoLxZmTZYPo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEEA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2520
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDEEA.tmp
    Filesize

    1KB

    MD5

    ed547489b3daa1b4e763c0a18b9c6b98

    SHA1

    c76ebe7189bc57c8e4443845f7b30a037c706f8d

    SHA256

    eb01cfc57852505da77fa35047016191e66f816d29096d20c9ec444e6af59696

    SHA512

    29b97c07715da11dc4b67ffdd513e4e935ee0503ac6a396bfe8f37ab3788476dfa57c6677680ae8c12837fdb31c5548b45dd16f0d03f4d15b594c3f5c51321a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\882972XF2KKG31B3RTXZ.temp
    Filesize

    7KB

    MD5

    9b58a00a41b796a34983198b9d624c33

    SHA1

    0ea345e0dbc5ad1be011d08d454577ddd16e594b

    SHA256

    05f3137131cde578001007afc540f7520a77420ba06e87c5c2dc91344952f872

    SHA512

    22047b0a8a7ca05d1ea283b0c905552e0eb0c2fbf5ddeece24748d83852e80a801b16dfe9dcfdb9aeaec56c0884a49f07cc6c6a492b32ade977c1b8f47e6f6ca

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    9b58a00a41b796a34983198b9d624c33

    SHA1

    0ea345e0dbc5ad1be011d08d454577ddd16e594b

    SHA256

    05f3137131cde578001007afc540f7520a77420ba06e87c5c2dc91344952f872

    SHA512

    22047b0a8a7ca05d1ea283b0c905552e0eb0c2fbf5ddeece24748d83852e80a801b16dfe9dcfdb9aeaec56c0884a49f07cc6c6a492b32ade977c1b8f47e6f6ca

    Download Submit

  • memory/1940-32-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1940-1-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1940-5-0x00000000004D0000-0x00000000004DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1940-6-0x0000000004E00000-0x0000000004E7A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1940-7-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1940-3-0x00000000004B0000-0x00000000004C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1940-2-0x0000000000460000-0x00000000004A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1940-0-0x00000000010F0000-0x00000000011D4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/1940-4-0x00000000004C0000-0x00000000004C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2616-21-0x000000006ECC0000-0x000000006F26B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2616-38-0x000000006ECC0000-0x000000006F26B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-22-0x0000000002720000-0x0000000002760000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2768-23-0x000000006ECC0000-0x000000006F26B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-39-0x000000006ECC0000-0x000000006F26B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-20-0x000000006ECC0000-0x000000006F26B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2976-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-33-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-35-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-36-0x0000000072E70000-0x000000007355E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2976-37-0x00000000012C0000-0x0000000001300000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2976-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-24-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-40-0x0000000072E70000-0x000000007355E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2976-41-0x00000000012C0000-0x0000000001300000-memory.dmp

    Filesize

    256KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.