Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
purchase orders.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
purchase orders.exe
Resource
win10v2004-20231130-en
General
-
Target
purchase orders.exe
-
Size
407KB
-
MD5
e9f8fff3341f84d5f76570fd5068b8b5
-
SHA1
7daebfd9193ff0c4925523d470d71ff12d692f98
-
SHA256
86608bbc9a9aa6e01636680205ef421bc37aeff7312960a821989f1eea7b3540
-
SHA512
80fcd35320752592e7e163b5d50df19c01d061596bc411e0de7a666c156f28973b11fc8760c56a64382b22ddaf2c6aa05092ba1aba496970a0afcf7e6ed935ec
-
SSDEEP
12288:D9WEeYF2adf4qD7Wz+oHvu7oUgLCPj4tF2:D9WEeJhM35UUGAwU
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
pid Process 2984 uxtaxvs.exe 1972 uxtaxvs.exe -
Loads dropped DLL 3 IoCs
pid Process 2412 purchase orders.exe 2412 purchase orders.exe 2984 uxtaxvs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnjsso = "C:\\Users\\Admin\\AppData\\Roaming\\yirrnwwgcclhhq\\aavf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\uxtaxvs.exe\" " uxtaxvs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2984 set thread context of 1972 2984 uxtaxvs.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1972 uxtaxvs.exe 1972 uxtaxvs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2984 uxtaxvs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1972 uxtaxvs.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2984 2412 purchase orders.exe 28 PID 2412 wrote to memory of 2984 2412 purchase orders.exe 28 PID 2412 wrote to memory of 2984 2412 purchase orders.exe 28 PID 2412 wrote to memory of 2984 2412 purchase orders.exe 28 PID 2984 wrote to memory of 1972 2984 uxtaxvs.exe 30 PID 2984 wrote to memory of 1972 2984 uxtaxvs.exe 30 PID 2984 wrote to memory of 1972 2984 uxtaxvs.exe 30 PID 2984 wrote to memory of 1972 2984 uxtaxvs.exe 30 PID 2984 wrote to memory of 1972 2984 uxtaxvs.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase orders.exe"C:\Users\Admin\AppData\Local\Temp\purchase orders.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334KB
MD57e9a72d139878ecf2699b44f890e14b8
SHA123a55bd2a648fe65dc25356beb5be8c44d718147
SHA256545fed32d85fd13dee67e82dba632a2a8f54f7c9a101ef68136c457f5ad6b4e2
SHA512bc1d5687488fbff994ac89e149c0607fa02a129742536dd4939f8fc1a3c5815377d17d7c35d197a6b0eac423d44606b8d690ec49ac3dc5992763dc449b414331
-
Filesize
169KB
MD5c9fd2ae104aacc62a6d543db3bdf70b2
SHA14111132302640eaed75782acbe3541c73df03c3a
SHA25666da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df
SHA512706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa
-
Filesize
169KB
MD5c9fd2ae104aacc62a6d543db3bdf70b2
SHA14111132302640eaed75782acbe3541c73df03c3a
SHA25666da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df
SHA512706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa
-
Filesize
169KB
MD5c9fd2ae104aacc62a6d543db3bdf70b2
SHA14111132302640eaed75782acbe3541c73df03c3a
SHA25666da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df
SHA512706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa
-
Filesize
169KB
MD5c9fd2ae104aacc62a6d543db3bdf70b2
SHA14111132302640eaed75782acbe3541c73df03c3a
SHA25666da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df
SHA512706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa
-
Filesize
169KB
MD5c9fd2ae104aacc62a6d543db3bdf70b2
SHA14111132302640eaed75782acbe3541c73df03c3a
SHA25666da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df
SHA512706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa
-
Filesize
169KB
MD5c9fd2ae104aacc62a6d543db3bdf70b2
SHA14111132302640eaed75782acbe3541c73df03c3a
SHA25666da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df
SHA512706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa
-
Filesize
169KB
MD5c9fd2ae104aacc62a6d543db3bdf70b2
SHA14111132302640eaed75782acbe3541c73df03c3a
SHA25666da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df
SHA512706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa