Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21/11/2023, 15:58
Static task
static1
Behavioral task
behavioral1
Sample
MT PEARL - T.PDF.js
Resource
win7-20231020-en
General
-
Target
MT PEARL - T.PDF.js
-
Size
5.8MB
-
MD5
07d87f8a2836402d7d6d121b4ac64850
-
SHA1
2643de7c438bd735d4730a40444fd41c2eca6712
-
SHA256
d65d4a47bce8ac5360c92d4be30d043207c6d6d39b9b2709bf37b9b23a7b5835
-
SHA512
5dc8a13c2235ba5496f95be0310e38b4498fe3113cd7534cd6c18dd52176fcf36a31944a5822a2962624d8ae0e0f9930ca0ea2a5a3531c823ab7eaf16e0ca966
-
SSDEEP
24576:2nZ2HSB9a3Z6opVwL2EnWfPyAIbjnwYh88Y/tIT0L66ZTF8hi/tbUDfkPwcAeZQw:Ea5
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6811423600:AAG2aeIaNsb7KhtKp1Js71i-PwGY1zN7uIg/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 18 IoCs
flow pid Process 5 2664 wscript.exe 6 2664 wscript.exe 7 2664 wscript.exe 9 2664 wscript.exe 10 2664 wscript.exe 11 2664 wscript.exe 13 2664 wscript.exe 14 2664 wscript.exe 15 2664 wscript.exe 17 2664 wscript.exe 18 2664 wscript.exe 19 2664 wscript.exe 21 2664 wscript.exe 22 2664 wscript.exe 23 2664 wscript.exe 25 2664 wscript.exe 26 2664 wscript.exe 27 2664 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zuOeofjXeJ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zuOeofjXeJ.js wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2688 aaad.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2688 aaad.exe 2688 aaad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2688 aaad.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2664 1740 wscript.exe 28 PID 1740 wrote to memory of 2664 1740 wscript.exe 28 PID 1740 wrote to memory of 2664 1740 wscript.exe 28 PID 1740 wrote to memory of 2688 1740 wscript.exe 29 PID 1740 wrote to memory of 2688 1740 wscript.exe 29 PID 1740 wrote to memory of 2688 1740 wscript.exe 29 PID 1740 wrote to memory of 2688 1740 wscript.exe 29
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\MT PEARL - T.PDF.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zuOeofjXeJ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\aaad.exe"C:\Users\Admin\AppData\Local\Temp\aaad.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234KB
MD56c6cee666da17c0043661cf2a0c56d6a
SHA19ca21a88e917d235b4fd923bc0bc8208af8c30ec
SHA25625a4772b405adb2585dc19e528156f6907ce3f539d0bc85827419f93c320f5cc
SHA5128bc9edfcc329b539dfce4490d2b7974b92517661caeb34cc16c941497cda982232db29f69714452ecda2614c9c669a31e7a9866c1619a0f4df5663eaa8daa335
-
Filesize
234KB
MD56c6cee666da17c0043661cf2a0c56d6a
SHA19ca21a88e917d235b4fd923bc0bc8208af8c30ec
SHA25625a4772b405adb2585dc19e528156f6907ce3f539d0bc85827419f93c320f5cc
SHA5128bc9edfcc329b539dfce4490d2b7974b92517661caeb34cc16c941497cda982232db29f69714452ecda2614c9c669a31e7a9866c1619a0f4df5663eaa8daa335
-
Filesize
346KB
MD5e8d8eeb4b2b4494f257c2aeeaf39de6d
SHA1132b82b68c1120490447ee12f63817954c00bda2
SHA25637361c480ae887fab7a0a8d45caa9afb4dcd6153ae6ef2671ac96608cddf85ee
SHA512863e3d2f1d06fcd408402c3e7eb7cc35e18be9f46470919bd22cbd4e7292763a5d51ba8de6eba665dfc80ba227ecda62b6e8206b4c9c6d221d40f9f8a1cca85d