Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

YU SV Payment.exe

windows7-x64

10

YU SV Payment.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2023, 09:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YU SV Payment.exe

  • Size

    841KB

  • MD5

    c9586b5ef698248e11c6fc904ccd1e6d

  • SHA1

    3b2246ad338738d2d1dba1cbc7a751091149d338

  • SHA256

    cde4e54eecb8d93a3bf01b328a33b998ef032becee8b0e375225cbce85c4a548

  • SHA512

    114c617845d7061047db47893357e96703d70f576b4cd6d3c9822e94537a6efe8cea56babb22dae0181a0238b7595a49226780113810ad992a4bf1d2da38a2c9

  • SSDEEP

    24576:3MPBrU7n0K+4iAVilgobPwXGYfpBhtD/:S1Ug54xQlJc2Y3

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    zqamcx.com
  • Port:
    587
  • Username:
    sender@zqamcx.com
  • Password:
    Methodman991
  • Email To:
    method@zqamcx.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\YU SV Payment.exe
    "C:\Users\Admin\AppData\Local\Temp\YU SV Payment.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\YU SV Payment.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\smltCUtWNLO.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\smltCUtWNLO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD45.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2888
    • C:\Users\Admin\AppData\Local\Temp\YU SV Payment.exe
      "C:\Users\Admin\AppData\Local\Temp\YU SV Payment.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2744

Network

  • flag-us
    DNS
    zqamcx.com
    YU SV Payment.exe
    Remote address:
    8.8.8.8:53
    Request
    zqamcx.com
    IN A
    Response
    zqamcx.com
    IN A
    78.110.166.82
  • 78.110.166.82:587
    zqamcx.com
    smtp-submission
    YU SV Payment.exe
    487 B
     603 B
     7
    6
  • 8.8.8.8:53
    zqamcx.com
    dns
    YU SV Payment.exe
    56 B
     72 B
     1
    1

    DNS Request

    zqamcx.com

    DNS Response

    78.110.166.82

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDD45.tmp
    Filesize

    1KB

    MD5

    2788a54620346792ace5861ff672f2df

    SHA1

    48e67fdd47fe77dd6c6b9ebd7b1922cafd6be681

    SHA256

    a660bc2a80a23e7f273902f8a4b0be7049a44f1e23f15792517aca266176f611

    SHA512

    8a2fdeeced9744801fcf2b26323062d222386d20b6f4056e3c9b81221e0eb15cccdf526cbd5a2892140ea8cef499435d32ed86566f2819c8875015c26fd2e6ec

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HINN64LEV6581WV9XFI7.temp
    Filesize

    7KB

    MD5

    5455c249c1962b84cd07dc623eb8fb05

    SHA1

    43eac89a56fda3ff03bdc7706134ace77441bbd3

    SHA256

    64509d3f25f20aa340f4c06696a26d841a126e5336424b1a6a55cb95f4b43079

    SHA512

    87ff8e22f667f5adb73804f6767c2c14ed5d820d382a2fb271ece466df66beeb955e9026964f40030b69f6669a6eb9c51d9f103707c0dcbc8fba360ba0366144

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    5455c249c1962b84cd07dc623eb8fb05

    SHA1

    43eac89a56fda3ff03bdc7706134ace77441bbd3

    SHA256

    64509d3f25f20aa340f4c06696a26d841a126e5336424b1a6a55cb95f4b43079

    SHA512

    87ff8e22f667f5adb73804f6767c2c14ed5d820d382a2fb271ece466df66beeb955e9026964f40030b69f6669a6eb9c51d9f103707c0dcbc8fba360ba0366144

    Download Submit

  • memory/2496-40-0x000000006D990000-0x000000006DF3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2496-42-0x00000000025B0000-0x00000000025F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2496-36-0x000000006D990000-0x000000006DF3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2496-38-0x00000000025B0000-0x00000000025F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2496-46-0x000000006D990000-0x000000006DF3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2704-41-0x00000000024E0000-0x0000000002520000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2704-39-0x00000000024E0000-0x0000000002520000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2704-44-0x000000006D990000-0x000000006DF3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2704-45-0x000000006D990000-0x000000006DF3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2704-37-0x000000006D990000-0x000000006DF3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2744-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2744-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2744-47-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2744-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2744-32-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2744-34-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2744-43-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2744-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2744-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2936-8-0x0000000004960000-0x00000000049A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2936-7-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2936-6-0x0000000005AB0000-0x0000000005B2C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2936-5-0x00000000004F0000-0x00000000004FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2936-4-0x0000000000480000-0x0000000000488000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2936-3-0x00000000004D0000-0x00000000004EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2936-35-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2936-2-0x0000000004960000-0x00000000049A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2936-0-0x0000000001250000-0x0000000001328000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2936-1-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.