Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

4fe755c27d...sx.xls

windows7-x64

10

4fe755c27d...sx.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    143s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231201-en
  • resource tags

    arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2023, 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406xlsx.xls

  • Size

    391KB

  • MD5

    5ea33b2a54dd29dc6d5a3b049dc8a2d1

  • SHA1

    5bc312ad946e5fe8258d6c4669b3fad66ae4fa3b

  • SHA256

    4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406

  • SHA512

    2ca5a6b3792c9a70e8fc025c10a451a2972a9edc2869145d4a0a508fb4c8251c130d2f54fef11acf5c6f94de344782989055301b3c8dcbeaa43b9cd9e24cc32e

  • SSDEEP

    12288:+OeGxSqKjij4a3DjM/In2zyojn1v3UICbk:+OeGxBEezj8In5oD1v12

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.elquijotebanquetes.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    q.15SE~j1@};

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406xlsx.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1728
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1572
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        "C:\Users\Admin\AppData\Roaming\wlanext.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
          "C:\Users\Admin\AppData\Roaming\wlanext.exe"
          3⤵
            PID:2196
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
            "C:\Users\Admin\AppData\Roaming\wlanext.exe"
            3⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2868

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{67D3C23A-F1E6-4FDA-BA3C-40A000C9215C}.FSD
        Filesize

        128KB

        MD5

        43935fda99e992c1690c30e119625306

        SHA1

        7e8f530c999e6b89ef0cf8460b094a6a7c5f409e

        SHA256

        8cde0c56fcf5689a5d2efc760c269da8b3a60b1c25d775fd3b5c7c03fe5781c7

        SHA512

        fb8a3833c4229042a1448e9af593630140c41e7c261bdca24ea2c3aa8ab771580ba0fda94a7dc1139aff5f6bd85fa0ef589c50a715659548bd6e78c82f7cd545

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
        Filesize

        128KB

        MD5

        bdb76e0625081d46cb163cf14cfd42bf

        SHA1

        8ec03b40753ebf6830d79b900d9888820e31c5d4

        SHA256

        40997d7c5b7ceb38d7a741933072a038c5fb27ad1135089741c7da2be8438bbf

        SHA512

        42054080d4f400be9996b8385e7fe6b4d2fb584705e90164b5dfef1afeb51503abf1ba955a9907d1c646b9f6915ac522620fa71b4e48c9a6cf4ef92158dd20fe

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B8E0541E-E8A1-467C-90A2-3FF6E3C172EA}.FSD
        Filesize

        128KB

        MD5

        6e14f90c20f9b2dde9bdf4c86bcb692b

        SHA1

        40fc9340b21b14ba964f5c825a862eea58bcb35c

        SHA256

        2e7320cf4af9b357748db73c1b014eb89e47b6a24603cb28be84ddade2dd8c89

        SHA512

        443a89e91c266ec5582e4e37b188b925c87bab093ebd98d534c00e68fd824d8512eed7e0bfdd6706e7850876ecb616e1ad58415e163f2dc5eeed5188acc217de

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K7OQK7H1\microsoftdecidedtodeleteentirehistorycookiecacheeverthingfrmthepc[1].doc
        Filesize

        60KB

        MD5

        7ecba32d658443197384b69d872d0bfb

        SHA1

        173c9b6d2ca1ab6bc5986d2d6b6fe574966e70e8

        SHA256

        3b73c78e78bd1c6ac43e6f7f4934353bf6c4c23b0b534ddd228d2fcc5b562f6d

        SHA512

        49b7cc43b047f339c345e68904aa8a89e7bbc20fd17a8e7d7d81db9ba116bc905fc1ecc3c4c767fe8c014d04deec491130c4eb840af70e1d4c900fb9f9a9ad5a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E9DDB1BC.doc
        Filesize

        60KB

        MD5

        7ecba32d658443197384b69d872d0bfb

        SHA1

        173c9b6d2ca1ab6bc5986d2d6b6fe574966e70e8

        SHA256

        3b73c78e78bd1c6ac43e6f7f4934353bf6c4c23b0b534ddd228d2fcc5b562f6d

        SHA512

        49b7cc43b047f339c345e68904aa8a89e7bbc20fd17a8e7d7d81db9ba116bc905fc1ecc3c4c767fe8c014d04deec491130c4eb840af70e1d4c900fb9f9a9ad5a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{5718BFC0-6400-4012-973C-DE7EA86094E5}
        Filesize

        128KB

        MD5

        65851e03b779074da85de8d70fe5a01c

        SHA1

        dbff8abe5293b4cc11902a88d61dee19ad40e194

        SHA256

        8bf9e033bf4539a382b5bdeea6366e5750c60488eae667efa3046aa75b15944d

        SHA512

        be08c65e2dd8ca202261890eba8f1b9a1c093a507787ac2c469941c4c153aa75494aed327fdade2950764325c77889d8a345191a76231fa4fdf80e71e07255c2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        743281fc8f0c923cc48287173285798e

        SHA1

        53b4f1609b08db9e88d8896b63948b433f213004

        SHA256

        bb1edb1fbb00f0ebe9ee73614ceca48b2c20f7549986775cb1802f75790933c8

        SHA512

        77bad5e932b30bb90f0bec80d4a48b0fb673e4947ebd2ca8dae1f13bc4e74265d4868f4a50759d5c665c05622957192d5c09a39582c85098f6a1b6f99169b902

        Download Submit

      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        Filesize

        722KB

        MD5

        55506ae02311eedd9858ec8997238c53

        SHA1

        44d9cb2e85d368d17a2944f467cd28350e19fcaf

        SHA256

        680004deb5259f23ea4e2ad1c34a57bb6f12ee64391f0e7ffde1b2b56453a023

        SHA512

        bbe30faa0df82d575006bcff27d97e03b6600c289b30ed13da5c2d09971f147abd0d346a1c9f2177637a1beae55cee7ef835654213b52b50c8a595dd153a8884

        Download Submit

      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        Filesize

        722KB

        MD5

        55506ae02311eedd9858ec8997238c53

        SHA1

        44d9cb2e85d368d17a2944f467cd28350e19fcaf

        SHA256

        680004deb5259f23ea4e2ad1c34a57bb6f12ee64391f0e7ffde1b2b56453a023

        SHA512

        bbe30faa0df82d575006bcff27d97e03b6600c289b30ed13da5c2d09971f147abd0d346a1c9f2177637a1beae55cee7ef835654213b52b50c8a595dd153a8884

        Download Submit

      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        Filesize

        722KB

        MD5

        55506ae02311eedd9858ec8997238c53

        SHA1

        44d9cb2e85d368d17a2944f467cd28350e19fcaf

        SHA256

        680004deb5259f23ea4e2ad1c34a57bb6f12ee64391f0e7ffde1b2b56453a023

        SHA512

        bbe30faa0df82d575006bcff27d97e03b6600c289b30ed13da5c2d09971f147abd0d346a1c9f2177637a1beae55cee7ef835654213b52b50c8a595dd153a8884

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nst1778.tmp\System.dll
        Filesize

        11KB

        MD5

        75ed96254fbf894e42058062b4b4f0d1

        SHA1

        996503f1383b49021eb3427bc28d13b5bbd11977

        SHA256

        a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

        SHA512

        58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

        Download Submit

      • \Users\Admin\AppData\Roaming\wlanext.exe
        Filesize

        722KB

        MD5

        55506ae02311eedd9858ec8997238c53

        SHA1

        44d9cb2e85d368d17a2944f467cd28350e19fcaf

        SHA256

        680004deb5259f23ea4e2ad1c34a57bb6f12ee64391f0e7ffde1b2b56453a023

        SHA512

        bbe30faa0df82d575006bcff27d97e03b6600c289b30ed13da5c2d09971f147abd0d346a1c9f2177637a1beae55cee7ef835654213b52b50c8a595dd153a8884

        Download Submit

      • memory/1728-8-0x0000000002340000-0x0000000002342000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1728-114-0x00000000722BD000-0x00000000722C8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1728-162-0x00000000722BD000-0x00000000722C8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1728-1-0x00000000722BD000-0x00000000722C8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1728-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1860-113-0x00000000771B0000-0x0000000077359000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1860-117-0x000000006AB00000-0x000000006AB06000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1860-112-0x00000000038D0000-0x0000000004A1B000-memory.dmp

        Filesize

        17.3MB

        Download

      • memory/1860-118-0x00000000038D0000-0x0000000004A1B000-memory.dmp

        Filesize

        17.3MB

        Download

      • memory/1860-116-0x00000000773A0000-0x0000000077476000-memory.dmp

        Filesize

        856KB

        Download

      • memory/2868-123-0x0000000001300000-0x000000000244B000-memory.dmp

        Filesize

        17.3MB

        Download

      • memory/2868-126-0x0000000031950000-0x0000000031990000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2868-119-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2868-120-0x0000000001300000-0x000000000244B000-memory.dmp

        Filesize

        17.3MB

        Download

      • memory/2868-121-0x00000000771B0000-0x0000000077359000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2868-122-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2868-131-0x0000000031950000-0x0000000031990000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2868-124-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2868-125-0x00000000696E0000-0x0000000069DCE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2868-130-0x00000000696E0000-0x0000000069DCE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2868-127-0x0000000001300000-0x000000000244B000-memory.dmp

        Filesize

        17.3MB

        Download

      • memory/2908-115-0x00000000722BD000-0x00000000722C8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2908-7-0x0000000002E10000-0x0000000002E12000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2908-5-0x00000000722BD000-0x00000000722C8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2908-157-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2908-158-0x00000000722BD000-0x00000000722C8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2908-3-0x000000002F0B1000-0x000000002F0B2000-memory.dmp

        Filesize

        4KB

        Download