Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2023, 15:58

General

  • Target

    MT PEARL - T.PDF.js

  • Size

    5.8MB

  • MD5

    07d87f8a2836402d7d6d121b4ac64850

  • SHA1

    2643de7c438bd735d4730a40444fd41c2eca6712

  • SHA256

    d65d4a47bce8ac5360c92d4be30d043207c6d6d39b9b2709bf37b9b23a7b5835

  • SHA512

    5dc8a13c2235ba5496f95be0310e38b4498fe3113cd7534cd6c18dd52176fcf36a31944a5822a2962624d8ae0e0f9930ca0ea2a5a3531c823ab7eaf16e0ca966

  • SSDEEP

    24576:2nZ2HSB9a3Z6opVwL2EnWfPyAIbjnwYh88Y/tIT0L66ZTF8hi/tbUDfkPwcAeZQw:Ea5

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6811423600:AAG2aeIaNsb7KhtKp1Js71i-PwGY1zN7uIg/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 18 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\MT PEARL - T.PDF.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zuOeofjXeJ.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:2664
    • C:\Users\Admin\AppData\Local\Temp\aaad.exe
      "C:\Users\Admin\AppData\Local\Temp\aaad.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aaad.exe

    Filesize

    234KB

    MD5

    6c6cee666da17c0043661cf2a0c56d6a

    SHA1

    9ca21a88e917d235b4fd923bc0bc8208af8c30ec

    SHA256

    25a4772b405adb2585dc19e528156f6907ce3f539d0bc85827419f93c320f5cc

    SHA512

    8bc9edfcc329b539dfce4490d2b7974b92517661caeb34cc16c941497cda982232db29f69714452ecda2614c9c669a31e7a9866c1619a0f4df5663eaa8daa335

  • C:\Users\Admin\AppData\Local\Temp\aaad.exe

    Filesize

    234KB

    MD5

    6c6cee666da17c0043661cf2a0c56d6a

    SHA1

    9ca21a88e917d235b4fd923bc0bc8208af8c30ec

    SHA256

    25a4772b405adb2585dc19e528156f6907ce3f539d0bc85827419f93c320f5cc

    SHA512

    8bc9edfcc329b539dfce4490d2b7974b92517661caeb34cc16c941497cda982232db29f69714452ecda2614c9c669a31e7a9866c1619a0f4df5663eaa8daa335

  • C:\Users\Admin\AppData\Roaming\zuOeofjXeJ.js

    Filesize

    346KB

    MD5

    e8d8eeb4b2b4494f257c2aeeaf39de6d

    SHA1

    132b82b68c1120490447ee12f63817954c00bda2

    SHA256

    37361c480ae887fab7a0a8d45caa9afb4dcd6153ae6ef2671ac96608cddf85ee

    SHA512

    863e3d2f1d06fcd408402c3e7eb7cc35e18be9f46470919bd22cbd4e7292763a5d51ba8de6eba665dfc80ba227ecda62b6e8206b4c9c6d221d40f9f8a1cca85d

  • memory/2688-9-0x0000000000390000-0x00000000003D0000-memory.dmp

    Filesize

    256KB

  • memory/2688-10-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

  • memory/2688-11-0x0000000000740000-0x0000000000780000-memory.dmp

    Filesize

    256KB

  • memory/2688-12-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

  • memory/2688-13-0x0000000000740000-0x0000000000780000-memory.dmp

    Filesize

    256KB