Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

MT PEARL - T.PDF.js

windows7-x64

10

MT PEARL - T.PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2023, 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MT PEARL - T.PDF.js

  • Size

    5.8MB

  • MD5

    07d87f8a2836402d7d6d121b4ac64850

  • SHA1

    2643de7c438bd735d4730a40444fd41c2eca6712

  • SHA256

    d65d4a47bce8ac5360c92d4be30d043207c6d6d39b9b2709bf37b9b23a7b5835

  • SHA512

    5dc8a13c2235ba5496f95be0310e38b4498fe3113cd7534cd6c18dd52176fcf36a31944a5822a2962624d8ae0e0f9930ca0ea2a5a3531c823ab7eaf16e0ca966

  • SSDEEP

    24576:2nZ2HSB9a3Z6opVwL2EnWfPyAIbjnwYh88Y/tIT0L66ZTF8hi/tbUDfkPwcAeZQw:Ea5

Score
10/10
agentteslavjw0rmkeyloggerspywarestealertrojanworm

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6811423600:AAG2aeIaNsb7KhtKp1Js71i-PwGY1zN7uIg/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 15 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\MT PEARL - T.PDF.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zuOeofjXeJ.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:3148
    • C:\Users\Admin\AppData\Local\Temp\aaad.exe
      "C:\Users\Admin\AppData\Local\Temp\aaad.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aaad.exe
    Filesize

    234KB

    MD5

    6c6cee666da17c0043661cf2a0c56d6a

    SHA1

    9ca21a88e917d235b4fd923bc0bc8208af8c30ec

    SHA256

    25a4772b405adb2585dc19e528156f6907ce3f539d0bc85827419f93c320f5cc

    SHA512

    8bc9edfcc329b539dfce4490d2b7974b92517661caeb34cc16c941497cda982232db29f69714452ecda2614c9c669a31e7a9866c1619a0f4df5663eaa8daa335

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aaad.exe
    Filesize

    234KB

    MD5

    6c6cee666da17c0043661cf2a0c56d6a

    SHA1

    9ca21a88e917d235b4fd923bc0bc8208af8c30ec

    SHA256

    25a4772b405adb2585dc19e528156f6907ce3f539d0bc85827419f93c320f5cc

    SHA512

    8bc9edfcc329b539dfce4490d2b7974b92517661caeb34cc16c941497cda982232db29f69714452ecda2614c9c669a31e7a9866c1619a0f4df5663eaa8daa335

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aaad.exe
    Filesize

    234KB

    MD5

    6c6cee666da17c0043661cf2a0c56d6a

    SHA1

    9ca21a88e917d235b4fd923bc0bc8208af8c30ec

    SHA256

    25a4772b405adb2585dc19e528156f6907ce3f539d0bc85827419f93c320f5cc

    SHA512

    8bc9edfcc329b539dfce4490d2b7974b92517661caeb34cc16c941497cda982232db29f69714452ecda2614c9c669a31e7a9866c1619a0f4df5663eaa8daa335

    Download Submit

  • C:\Users\Admin\AppData\Roaming\zuOeofjXeJ.js
    Filesize

    346KB

    MD5

    e8d8eeb4b2b4494f257c2aeeaf39de6d

    SHA1

    132b82b68c1120490447ee12f63817954c00bda2

    SHA256

    37361c480ae887fab7a0a8d45caa9afb4dcd6153ae6ef2671ac96608cddf85ee

    SHA512

    863e3d2f1d06fcd408402c3e7eb7cc35e18be9f46470919bd22cbd4e7292763a5d51ba8de6eba665dfc80ba227ecda62b6e8206b4c9c6d221d40f9f8a1cca85d

    Download Submit

  • memory/4356-16-0x0000000005620000-0x0000000005BC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4356-15-0x0000000000620000-0x0000000000660000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4356-14-0x0000000074AA0000-0x0000000075250000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4356-17-0x0000000004F60000-0x0000000004F70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4356-18-0x0000000005170000-0x00000000051D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4356-19-0x0000000005E20000-0x0000000005E70000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4356-20-0x0000000005F10000-0x0000000005FAC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4356-21-0x0000000006990000-0x0000000006A22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4356-22-0x0000000006930000-0x000000000693A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4356-23-0x0000000074AA0000-0x0000000075250000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4356-24-0x0000000004F60000-0x0000000004F70000-memory.dmp

    Filesize

    64KB

    Download