Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2024, 05:47

General

  • Target

    8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls

  • Size

    302KB

  • MD5

    250841072f7bb27d6a75cd026249bb87

  • SHA1

    190342d9c712d9af9a3dce9eb3f2ff32bf100e23

  • SHA256

    8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b

  • SHA512

    27435486bd6eec7c591ec5388aec063d0ceb6f7198bda22dcb5c01dab11aaf878fa5d4b8723fefcb1983387e011100effd1e39d9e38f5b5511e2b1c997b788f0

  • SSDEEP

    6144:6vBNSHBMixiMK6G+ZFrTUvCp4sJgo0r6Rz4rN9RjymY7TaGv37Aodpz:6vBNQpozwjTqCfgo0ugNymWbvrf3

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2632
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:328
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Users\Admin\AppData\Roaming\conhost.exe
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Users\Admin\AppData\Roaming\conhost.exe
          "C:\Users\Admin\AppData\Roaming\conhost.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2468

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      c3b2ce7e71e5d8db2abbb02016e02bb0

      SHA1

      62b8b855673ca951d49cab755ae609d82e171a85

      SHA256

      6fe7944a9b3f084e10fa7381ef3f6fe311300a9ec424aee14e797507e1ae9773

      SHA512

      c4f5ff0b13c3eeb1f45bed757fafe0f5a5e2da901f99854b58a8f622992b0a8383784057ea1b096c7222a3c65d9baa24776f1333e59b244c687ad134e5dbb105

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A357079B-E256-48F9-851D-BF1350A23709}.FSD

      Filesize

      128KB

      MD5

      218ca5bcb6112e0c430c9351771865b6

      SHA1

      30c2f1500945b41a0b758002c22268b740e365fe

      SHA256

      d0f5c87eddd850a4addbff9818e90c0ab4f25d9577ef3df9a40215961013379d

      SHA512

      2d0e4b6ea868cbad4e1efe629d7742ea67408963a68ed58b8962b473f3072f31388cac202e01a0e7fa74fe78fe8728f8e51fcf65df3f0dfde92f7217cdd2835a

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1YVWL6AI\microbiolagicalthingshappeneingaroundtheworldforentireprocesstostartfromthefirsttonowforev[1].doc

      Filesize

      61KB

      MD5

      adf6b4115caf260b8f57c1fd9bb618ec

      SHA1

      5ed800417118abeb366163bcda0608b0d0109a66

      SHA256

      6ebe7e25c68f5e44b3e542b47ca7d0faab3fa7c7f1b71e17f5fdaeb7f4a7b003

      SHA512

      706d851d922f53e83783f7f5ed65b24e8322c64db3f6e03f19e5aa6bce3ea504a5f221cfa8d6700e374b5cc5c94415c9f0bd3386dd872974738c9788400f43dc

    • C:\Users\Admin\AppData\Local\Temp\{E2818E8F-60DC-41A2-8B45-1776529E60D4}

      Filesize

      128KB

      MD5

      22bad8b1eb502559fa6021aa10eb9520

      SHA1

      5d4d8f11452455169df3dc877062ee50af53f830

      SHA256

      bf2dfeb359173bd5150459092313adef3aa96e7e15d6f50f783b8d7974abd7da

      SHA512

      483306087c1d22ac7460e6879bcc9737d013341e1fbc9c316e399ae55694c6ba5bcac6ca1a63efcac3a75f358490092d7de2633bf687d689181dc168d9ce3d1a

    • C:\Users\Admin\AppData\Roaming\conhost.exe

      Filesize

      345KB

      MD5

      777cd114cc1ad3665e4d1d9146b9eda9

      SHA1

      0e6ea4e26ac38837f6a02ef1ad145e38924551ed

      SHA256

      196a326301bebc45154960c2430a6af600f0ec892666e1fa3b53cd63a5d73f61

      SHA512

      017683adf8b815ec4cb49c6b83cb2594b4002ed9dfad4ea6dccc27f17d6e489d896e94111bb43142dc146c33bec51ca3e4c2945c0b9715c5fc844db3bc6294ce

    • memory/1552-101-0x0000000000200000-0x0000000000201000-memory.dmp

      Filesize

      4KB

    • memory/1552-119-0x000000006AD20000-0x000000006B40E000-memory.dmp

      Filesize

      6.9MB

    • memory/1552-100-0x00000000043D0000-0x0000000004410000-memory.dmp

      Filesize

      256KB

    • memory/1552-98-0x000000006AD20000-0x000000006B40E000-memory.dmp

      Filesize

      6.9MB

    • memory/1552-92-0x0000000000930000-0x000000000098C000-memory.dmp

      Filesize

      368KB

    • memory/2468-110-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2468-115-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2468-125-0x0000000004AE0000-0x0000000004B20000-memory.dmp

      Filesize

      256KB

    • memory/2468-124-0x000000006AD20000-0x000000006B40E000-memory.dmp

      Filesize

      6.9MB

    • memory/2468-120-0x0000000004AE0000-0x0000000004B20000-memory.dmp

      Filesize

      256KB

    • memory/2468-104-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2468-102-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2468-106-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2468-112-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2468-108-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2468-118-0x000000006AD20000-0x000000006B40E000-memory.dmp

      Filesize

      6.9MB

    • memory/2468-117-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2632-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2632-9-0x0000000002340000-0x0000000002342000-memory.dmp

      Filesize

      8KB

    • memory/2632-1-0x000000007295D000-0x0000000072968000-memory.dmp

      Filesize

      44KB

    • memory/2632-122-0x000000007295D000-0x0000000072968000-memory.dmp

      Filesize

      44KB

    • memory/2748-4-0x000000002FB21000-0x000000002FB22000-memory.dmp

      Filesize

      4KB

    • memory/2748-123-0x000000007295D000-0x0000000072968000-memory.dmp

      Filesize

      44KB

    • memory/2748-8-0x0000000002E40000-0x0000000002E42000-memory.dmp

      Filesize

      8KB

    • memory/2748-6-0x000000007295D000-0x0000000072968000-memory.dmp

      Filesize

      44KB