Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
18/01/2024, 05:47
General
-
Target
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
-
Size
302KB
-
MD5
250841072f7bb27d6a75cd026249bb87
-
SHA1
190342d9c712d9af9a3dce9eb3f2ff32bf100e23
-
SHA256
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b
-
SHA512
27435486bd6eec7c591ec5388aec063d0ceb6f7198bda22dcb5c01dab11aaf878fa5d4b8723fefcb1983387e011100effd1e39d9e38f5b5511e2b1c997b788f0
-
SSDEEP
6144:6vBNSHBMixiMK6G+ZFrTUvCp4sJgo0r6Rz4rN9RjymY7TaGv37Aodpz:6vBNQpozwjTqCfgo0ugNymWbvrf3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail1.netim.hosting - Port:
587 - Username:
[email protected] - Password:
Emotion22 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5c3b2ce7e71e5d8db2abbb02016e02bb0
SHA162b8b855673ca951d49cab755ae609d82e171a85
SHA2566fe7944a9b3f084e10fa7381ef3f6fe311300a9ec424aee14e797507e1ae9773
SHA512c4f5ff0b13c3eeb1f45bed757fafe0f5a5e2da901f99854b58a8f622992b0a8383784057ea1b096c7222a3c65d9baa24776f1333e59b244c687ad134e5dbb105
-
Filesize
128KB
MD5218ca5bcb6112e0c430c9351771865b6
SHA130c2f1500945b41a0b758002c22268b740e365fe
SHA256d0f5c87eddd850a4addbff9818e90c0ab4f25d9577ef3df9a40215961013379d
SHA5122d0e4b6ea868cbad4e1efe629d7742ea67408963a68ed58b8962b473f3072f31388cac202e01a0e7fa74fe78fe8728f8e51fcf65df3f0dfde92f7217cdd2835a
-
Filesize
61KB
MD5adf6b4115caf260b8f57c1fd9bb618ec
SHA15ed800417118abeb366163bcda0608b0d0109a66
SHA2566ebe7e25c68f5e44b3e542b47ca7d0faab3fa7c7f1b71e17f5fdaeb7f4a7b003
SHA512706d851d922f53e83783f7f5ed65b24e8322c64db3f6e03f19e5aa6bce3ea504a5f221cfa8d6700e374b5cc5c94415c9f0bd3386dd872974738c9788400f43dc
-
Filesize
128KB
MD522bad8b1eb502559fa6021aa10eb9520
SHA15d4d8f11452455169df3dc877062ee50af53f830
SHA256bf2dfeb359173bd5150459092313adef3aa96e7e15d6f50f783b8d7974abd7da
SHA512483306087c1d22ac7460e6879bcc9737d013341e1fbc9c316e399ae55694c6ba5bcac6ca1a63efcac3a75f358490092d7de2633bf687d689181dc168d9ce3d1a
-
Filesize
345KB
MD5777cd114cc1ad3665e4d1d9146b9eda9
SHA10e6ea4e26ac38837f6a02ef1ad145e38924551ed
SHA256196a326301bebc45154960c2430a6af600f0ec892666e1fa3b53cd63a5d73f61
SHA512017683adf8b815ec4cb49c6b83cb2594b4002ed9dfad4ea6dccc27f17d6e489d896e94111bb43142dc146c33bec51ca3e4c2945c0b9715c5fc844db3bc6294ce
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
368KB
-
Filesize
4KB
-
Filesize
264KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
6.9MB
-
Filesize
264KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
44KB