Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2023, 10:40 UTC

General

  • Target

    SHIPPING DOCUMENTS#202993.exe

  • Size

    683KB

  • MD5

    6adb7b71640a2f11f8144693e2b15d41

  • SHA1

    38c3551a6b02c88e793f37b29a522071100bced6

  • SHA256

    b5cd63c5fec95f16d9c11ca726e0bad76d52eb122a6458b3940d5dd94d3a7dfb

  • SHA512

    d5a6bca0366b1aed4c03f70defc319e70932c18d9ca89183f08479aa8d306532a50f3e06a08fe4182ae0e86e2980b5971940dca75a5a397f48da5e26d4664c30

  • SSDEEP

    12288:C4ueH5qfhisCn/zzGAfjmT0HHy5Jvjgbsfc1DhpYChjAVejJI:PqZxwG4jmT0H6Vjgbcc1Dhpbac

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.amtechcards.com
  • Port:
    587
  • Username:
    obo1@amtechcards.com
  • Password:
    puuAt8;(Y$NU
  • Email To:
    obo@amtechcards.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS#202993.exe
    "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS#202993.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 2008
        3⤵
        • Program crash
        PID:3068
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3488 -ip 3488
    1⤵
      PID:4684

    Network

    • flag-us
      DNS
      6.181.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      6.181.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 347587
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B6D42A540381443CA59D235749109CB7 Ref B: LON04EDGE1109 Ref C: 2023-12-07T10:40:12Z
      date: Thu, 07 Dec 2023 10:40:12 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301217_1LGEUWZHPMKMEMITB&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301217_1LGEUWZHPMKMEMITB&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 324642
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 9F309569D36E4D3AB06C2868F2F4D391 Ref B: LON04EDGE1109 Ref C: 2023-12-07T10:40:12Z
      date: Thu, 07 Dec 2023 10:40:12 GMT
    • flag-us
      DNS
      180.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      180.178.17.96.in-addr.arpa
      IN PTR
      Response
      180.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-180deploystaticakamaitechnologiescom
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      api.ipify.org
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN CNAME
      api4.ipify.org
      api4.ipify.org
      IN A
      104.237.62.212
      api4.ipify.org
      IN A
      64.185.227.156
      api4.ipify.org
      IN A
      173.231.16.77
    • flag-us
      GET
      https://api.ipify.org/
      RegSvcs.exe
      Remote address:
      104.237.62.212:443
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
      Host: api.ipify.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.25.2
      Date: Thu, 07 Dec 2023 10:40:30 GMT
      Content-Type: text/plain
      Content-Length: 12
      Connection: keep-alive
      Vary: Origin
    • flag-us
      DNS
      212.62.237.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.62.237.104.in-addr.arpa
      IN PTR
      Response
      212.62.237.104.in-addr.arpa
      IN PTR
      apiipifyorg
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.135.221.88.in-addr.arpa
      IN PTR
      Response
      217.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-217deploystaticakamaitechnologiescom
    • flag-us
      DNS
      194.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      194.178.17.96.in-addr.arpa
      IN PTR
      Response
      194.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-194deploystaticakamaitechnologiescom
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      173.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      173.178.17.96.in-addr.arpa
      IN PTR
      Response
      173.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-173deploystaticakamaitechnologiescom
    • flag-us
      DNS
      72.239.69.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      72.239.69.13.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.4kB
      17
      15
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301217_1LGEUWZHPMKMEMITB&pid=21.2&w=1920&h=1080&c=4
      tls, http2
      24.5kB
      703.6kB
      516
      514

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301217_1LGEUWZHPMKMEMITB&pid=21.2&w=1920&h=1080&c=4

      HTTP Response

      200

      HTTP Response

      200
    • 104.237.62.212:443
      https://api.ipify.org/
      tls, http
      RegSvcs.exe
      900 B
      6.9kB
      10
      10

      HTTP Request

      GET https://api.ipify.org/

      HTTP Response

      200
    • 8.8.8.8:53
      6.181.190.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      6.181.190.20.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      173 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      180.178.17.96.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      180.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
      106 B
      1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      api.ipify.org
      dns
      RegSvcs.exe
      59 B
      126 B
      1
      1

      DNS Request

      api.ipify.org

      DNS Response

      104.237.62.212
      64.185.227.156
      173.231.16.77

    • 8.8.8.8:53
      212.62.237.104.in-addr.arpa
      dns
      73 B
      100 B
      1
      1

      DNS Request

      212.62.237.104.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      217.135.221.88.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      217.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      194.178.17.96.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      194.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      31.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      173.178.17.96.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      173.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      72.239.69.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      72.239.69.13.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3488-11-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/3488-17-0x0000000075370000-0x0000000075B20000-memory.dmp

      Filesize

      7.7MB

    • memory/3488-16-0x0000000005300000-0x0000000005366000-memory.dmp

      Filesize

      408KB

    • memory/3488-15-0x0000000005280000-0x0000000005290000-memory.dmp

      Filesize

      64KB

    • memory/3488-14-0x0000000075370000-0x0000000075B20000-memory.dmp

      Filesize

      7.7MB

    • memory/4012-8-0x0000000006CE0000-0x0000000006CEA000-memory.dmp

      Filesize

      40KB

    • memory/4012-6-0x0000000005DB0000-0x0000000005DCA000-memory.dmp

      Filesize

      104KB

    • memory/4012-7-0x0000000006CC0000-0x0000000006CC8000-memory.dmp

      Filesize

      32KB

    • memory/4012-1-0x0000000075370000-0x0000000075B20000-memory.dmp

      Filesize

      7.7MB

    • memory/4012-9-0x0000000007330000-0x00000000073AA000-memory.dmp

      Filesize

      488KB

    • memory/4012-10-0x00000000098F0000-0x000000000998C000-memory.dmp

      Filesize

      624KB

    • memory/4012-5-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

      Filesize

      40KB

    • memory/4012-13-0x0000000075370000-0x0000000075B20000-memory.dmp

      Filesize

      7.7MB

    • memory/4012-4-0x0000000005D10000-0x0000000005D20000-memory.dmp

      Filesize

      64KB

    • memory/4012-3-0x0000000005B00000-0x0000000005B92000-memory.dmp

      Filesize

      584KB

    • memory/4012-2-0x0000000006010000-0x00000000065B4000-memory.dmp

      Filesize

      5.6MB

    • memory/4012-0-0x0000000000FD0000-0x0000000001082000-memory.dmp

      Filesize

      712KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.