Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

purchase orders.exe

windows7-x64

10

purchase orders.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    4s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2023, 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    purchase orders.exe

  • Size

    407KB

  • MD5

    e9f8fff3341f84d5f76570fd5068b8b5

  • SHA1

    7daebfd9193ff0c4925523d470d71ff12d692f98

  • SHA256

    86608bbc9a9aa6e01636680205ef421bc37aeff7312960a821989f1eea7b3540

  • SHA512

    80fcd35320752592e7e163b5d50df19c01d061596bc411e0de7a666c156f28973b11fc8760c56a64382b22ddaf2c6aa05092ba1aba496970a0afcf7e6ed935ec

  • SSDEEP

    12288:D9WEeYF2adf4qD7Wz+oHvu7oUgLCPj4tF2:D9WEeJhM35UUGAwU

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\purchase orders.exe
    "C:\Users\Admin\AppData\Local\Temp\purchase orders.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
      "C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
        "C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gdiyqwb.im
    Filesize

    334KB

    MD5

    7e9a72d139878ecf2699b44f890e14b8

    SHA1

    23a55bd2a648fe65dc25356beb5be8c44d718147

    SHA256

    545fed32d85fd13dee67e82dba632a2a8f54f7c9a101ef68136c457f5ad6b4e2

    SHA512

    bc1d5687488fbff994ac89e149c0607fa02a129742536dd4939f8fc1a3c5815377d17d7c35d197a6b0eac423d44606b8d690ec49ac3dc5992763dc449b414331

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
    Filesize

    169KB

    MD5

    c9fd2ae104aacc62a6d543db3bdf70b2

    SHA1

    4111132302640eaed75782acbe3541c73df03c3a

    SHA256

    66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

    SHA512

    706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
    Filesize

    169KB

    MD5

    c9fd2ae104aacc62a6d543db3bdf70b2

    SHA1

    4111132302640eaed75782acbe3541c73df03c3a

    SHA256

    66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

    SHA512

    706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
    Filesize

    169KB

    MD5

    c9fd2ae104aacc62a6d543db3bdf70b2

    SHA1

    4111132302640eaed75782acbe3541c73df03c3a

    SHA256

    66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

    SHA512

    706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
    Filesize

    169KB

    MD5

    c9fd2ae104aacc62a6d543db3bdf70b2

    SHA1

    4111132302640eaed75782acbe3541c73df03c3a

    SHA256

    66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

    SHA512

    706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

    Download Submit

  • \Users\Admin\AppData\Local\Temp\uxtaxvs.exe
    Filesize

    169KB

    MD5

    c9fd2ae104aacc62a6d543db3bdf70b2

    SHA1

    4111132302640eaed75782acbe3541c73df03c3a

    SHA256

    66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

    SHA512

    706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

    Download Submit

  • \Users\Admin\AppData\Local\Temp\uxtaxvs.exe
    Filesize

    169KB

    MD5

    c9fd2ae104aacc62a6d543db3bdf70b2

    SHA1

    4111132302640eaed75782acbe3541c73df03c3a

    SHA256

    66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

    SHA512

    706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

    Download Submit

  • \Users\Admin\AppData\Local\Temp\uxtaxvs.exe
    Filesize

    169KB

    MD5

    c9fd2ae104aacc62a6d543db3bdf70b2

    SHA1

    4111132302640eaed75782acbe3541c73df03c3a

    SHA256

    66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

    SHA512

    706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

    Download Submit

  • memory/1972-22-0x0000000001F20000-0x0000000001F60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1972-18-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1972-14-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1972-23-0x0000000001F20000-0x0000000001F60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1972-19-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1972-21-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1972-20-0x0000000001F60000-0x0000000001FA2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1972-25-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2984-17-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2984-9-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download