Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
Resource
win10v2004-20231222-en
General
-
Target
27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
-
Size
728KB
-
MD5
cdf4d3afa2bee0bf7815ea21c357fcbd
-
SHA1
14bd588ba6460c3dc6351b54936f64f7261a7e4c
-
SHA256
27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a
-
SHA512
490b7c341d91f483aef5f24b82e872d88dd278d49bee19e7051aad9af460193ba3d27e11283784c32b0d970f645fe7e1a11492020ecdf07df41d2e890db95238
-
SSDEEP
12288:PAYAXukOaVQpmyydTlVQnmI5dj39r+ZNJ+CRW74FXHMNya0USBx+R:xLz9iim8jNrlGW7DyaWx+R
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp5ua.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
pid Process 2508 explooorrs.exe -
Loads dropped DLL 2 IoCs
pid Process 3056 cmd.exe 3056 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\explooorrs = "C:\\Users\\Admin\\AppData\\Roaming\\explooorrs.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2508 set thread context of 1684 2508 explooorrs.exe 39 -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2976 PING.EXE 580 PING.EXE 2800 PING.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2508 explooorrs.exe 2508 explooorrs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe Token: SeDebugPrivilege 2508 explooorrs.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2984 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 28 PID 2124 wrote to memory of 2984 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 28 PID 2124 wrote to memory of 2984 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 28 PID 2124 wrote to memory of 2984 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 28 PID 2984 wrote to memory of 2976 2984 cmd.exe 30 PID 2984 wrote to memory of 2976 2984 cmd.exe 30 PID 2984 wrote to memory of 2976 2984 cmd.exe 30 PID 2984 wrote to memory of 2976 2984 cmd.exe 30 PID 2124 wrote to memory of 3056 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 33 PID 2124 wrote to memory of 3056 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 33 PID 2124 wrote to memory of 3056 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 33 PID 2124 wrote to memory of 3056 2124 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 33 PID 3056 wrote to memory of 580 3056 cmd.exe 35 PID 3056 wrote to memory of 580 3056 cmd.exe 35 PID 3056 wrote to memory of 580 3056 cmd.exe 35 PID 3056 wrote to memory of 580 3056 cmd.exe 35 PID 2984 wrote to memory of 556 2984 cmd.exe 36 PID 2984 wrote to memory of 556 2984 cmd.exe 36 PID 2984 wrote to memory of 556 2984 cmd.exe 36 PID 2984 wrote to memory of 556 2984 cmd.exe 36 PID 3056 wrote to memory of 2800 3056 cmd.exe 37 PID 3056 wrote to memory of 2800 3056 cmd.exe 37 PID 3056 wrote to memory of 2800 3056 cmd.exe 37 PID 3056 wrote to memory of 2800 3056 cmd.exe 37 PID 3056 wrote to memory of 2508 3056 cmd.exe 38 PID 3056 wrote to memory of 2508 3056 cmd.exe 38 PID 3056 wrote to memory of 2508 3056 cmd.exe 38 PID 3056 wrote to memory of 2508 3056 cmd.exe 38 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39 PID 2508 wrote to memory of 1684 2508 explooorrs.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe"C:\Users\Admin\AppData\Local\Temp\27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 27 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "explooorrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explooorrs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 273⤵
- Runs ping.exe
PID:2976
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "explooorrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explooorrs.exe"3⤵
- Adds Run key to start application
PID:556
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\Admin\AppData\Local\Temp\27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe" "C:\Users\Admin\AppData\Roaming\explooorrs.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\Admin\AppData\Roaming\explooorrs.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 283⤵
- Runs ping.exe
PID:580
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 283⤵
- Runs ping.exe
PID:2800
-
-
C:\Users\Admin\AppData\Roaming\explooorrs.exe"C:\Users\Admin\AppData\Roaming\explooorrs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:1684
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
728KB
MD5cdf4d3afa2bee0bf7815ea21c357fcbd
SHA114bd588ba6460c3dc6351b54936f64f7261a7e4c
SHA25627e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a
SHA512490b7c341d91f483aef5f24b82e872d88dd278d49bee19e7051aad9af460193ba3d27e11283784c32b0d970f645fe7e1a11492020ecdf07df41d2e890db95238