Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

946efedd10...c7.exe

windows7-x64

10

946efedd10...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2023, 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe

  • Size

    657KB

  • MD5

    44b3f77611eb5683fd24afe8dbd7b51e

  • SHA1

    0676080c4436fcd309e8dbef2446c4e24d2944e5

  • SHA256

    946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7

  • SHA512

    302c50f5c2be68a170d62bbd426184d5a7a5327b72292cae2f2ca63a37cc10c3a0531c2f6d8e0aee992b2416f05742f3679ab49aef6cc5b8e996681784931cc8

  • SSDEEP

    12288:vwxPgUrwBabekPXpxSHIjxrpLFm7OoOWf0h5KkrNGg7fqq/5pv:wKBabdPvS4Lp3m0hIkrN9LR

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe
    "C:\Users\Admin\AppData\Local\Temp\946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
      "C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
        "C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe"
        3⤵
        • Executes dropped EXE
        PID:2772
      • C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
        "C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
    Filesize

    523KB

    MD5

    da25a3a223aab46ac3989923028ead8d

    SHA1

    53053eb02e5acba55297024b08419afe4bd33b37

    SHA256

    32f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78

    SHA512

    0a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
    Filesize

    523KB

    MD5

    da25a3a223aab46ac3989923028ead8d

    SHA1

    53053eb02e5acba55297024b08419afe4bd33b37

    SHA256

    32f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78

    SHA512

    0a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
    Filesize

    523KB

    MD5

    da25a3a223aab46ac3989923028ead8d

    SHA1

    53053eb02e5acba55297024b08419afe4bd33b37

    SHA256

    32f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78

    SHA512

    0a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
    Filesize

    523KB

    MD5

    da25a3a223aab46ac3989923028ead8d

    SHA1

    53053eb02e5acba55297024b08419afe4bd33b37

    SHA256

    32f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78

    SHA512

    0a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
    Filesize

    523KB

    MD5

    da25a3a223aab46ac3989923028ead8d

    SHA1

    53053eb02e5acba55297024b08419afe4bd33b37

    SHA256

    32f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78

    SHA512

    0a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lxtlpujoec.bnt
    Filesize

    333KB

    MD5

    72f0328b8d9c87ab8df933e0b2263b56

    SHA1

    58dddc7412282e05cb3c85b8f7565633cf3f6159

    SHA256

    653d5667465616ac704fc2622d2e65cbe79ba2433792715c86c11a900c3ff6f6

    SHA512

    e151dd66104a61bffb37880e6a08f54c9972f274151748609861b9d83c24d938d3e6fbf26863edb251dce616dd19570b69a6e437c1c9645189100c3aebd66a8e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
    Filesize

    523KB

    MD5

    da25a3a223aab46ac3989923028ead8d

    SHA1

    53053eb02e5acba55297024b08419afe4bd33b37

    SHA256

    32f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78

    SHA512

    0a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac

    Download Submit

  • \Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
    Filesize

    523KB

    MD5

    da25a3a223aab46ac3989923028ead8d

    SHA1

    53053eb02e5acba55297024b08419afe4bd33b37

    SHA256

    32f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78

    SHA512

    0a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac

    Download Submit

  • \Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
    Filesize

    523KB

    MD5

    da25a3a223aab46ac3989923028ead8d

    SHA1

    53053eb02e5acba55297024b08419afe4bd33b37

    SHA256

    32f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78

    SHA512

    0a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac

    Download Submit

  • \Users\Admin\AppData\Local\Temp\gkspqgbsg.exe
    Filesize

    523KB

    MD5

    da25a3a223aab46ac3989923028ead8d

    SHA1

    53053eb02e5acba55297024b08419afe4bd33b37

    SHA256

    32f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78

    SHA512

    0a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac

    Download Submit

  • memory/1660-18-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1660-15-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1660-19-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1660-21-0x0000000074180000-0x000000007486E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1660-20-0x00000000001C0000-0x0000000000202000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1660-22-0x0000000000830000-0x0000000000870000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1660-23-0x0000000000830000-0x0000000000870000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1660-24-0x0000000074180000-0x000000007486E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2836-9-0x0000000000070000-0x0000000000072000-memory.dmp

    Filesize

    8KB

    Download