Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23/01/2024, 08:14
Static task
static1
Behavioral task
behavioral1
Sample
BANK SLIP AND INVOICE F8200336555.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
BANK SLIP AND INVOICE F8200336555.exe
Resource
win10v2004-20231215-en
General
-
Target
BANK SLIP AND INVOICE F8200336555.exe
-
Size
641KB
-
MD5
6a39ce8481e9d2d1a51bb14cd011e2c5
-
SHA1
5c4325af5c6ed70f561acecba5372ca8a356a5e6
-
SHA256
454c223132175b8b9660b5567e08ccc29bd7c9f101f7104c36efbf6893c90015
-
SHA512
081239d69897cd721bee0973f4e711fe521b9fc5c009981d9da63e3a958dfdb8f61f66b5c1f98fb86a3a14c0843ba519752746d699d216c29167772fedc80388
-
SSDEEP
12288:FcojLBJI38szx0XIZVdl57pF6vhWSoUBhmI2XkRu9TjHPS/0RsBPZmJ:XjruPWIXr1pFohvZ+Cu9C/0KRQ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.issltd.org - Port:
587 - Username:
[email protected] - Password:
iss123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2476 set thread context of 1132 2476 BANK SLIP AND INVOICE F8200336555.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2672 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2476 BANK SLIP AND INVOICE F8200336555.exe 2476 BANK SLIP AND INVOICE F8200336555.exe 2476 BANK SLIP AND INVOICE F8200336555.exe 1132 BANK SLIP AND INVOICE F8200336555.exe 1132 BANK SLIP AND INVOICE F8200336555.exe 2648 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2476 BANK SLIP AND INVOICE F8200336555.exe Token: SeDebugPrivilege 1132 BANK SLIP AND INVOICE F8200336555.exe Token: SeDebugPrivilege 2648 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2648 2476 BANK SLIP AND INVOICE F8200336555.exe 28 PID 2476 wrote to memory of 2648 2476 BANK SLIP AND INVOICE F8200336555.exe 28 PID 2476 wrote to memory of 2648 2476 BANK SLIP AND INVOICE F8200336555.exe 28 PID 2476 wrote to memory of 2648 2476 BANK SLIP AND INVOICE F8200336555.exe 28 PID 2476 wrote to memory of 2672 2476 BANK SLIP AND INVOICE F8200336555.exe 30 PID 2476 wrote to memory of 2672 2476 BANK SLIP AND INVOICE F8200336555.exe 30 PID 2476 wrote to memory of 2672 2476 BANK SLIP AND INVOICE F8200336555.exe 30 PID 2476 wrote to memory of 2672 2476 BANK SLIP AND INVOICE F8200336555.exe 30 PID 2476 wrote to memory of 1132 2476 BANK SLIP AND INVOICE F8200336555.exe 32 PID 2476 wrote to memory of 1132 2476 BANK SLIP AND INVOICE F8200336555.exe 32 PID 2476 wrote to memory of 1132 2476 BANK SLIP AND INVOICE F8200336555.exe 32 PID 2476 wrote to memory of 1132 2476 BANK SLIP AND INVOICE F8200336555.exe 32 PID 2476 wrote to memory of 1132 2476 BANK SLIP AND INVOICE F8200336555.exe 32 PID 2476 wrote to memory of 1132 2476 BANK SLIP AND INVOICE F8200336555.exe 32 PID 2476 wrote to memory of 1132 2476 BANK SLIP AND INVOICE F8200336555.exe 32 PID 2476 wrote to memory of 1132 2476 BANK SLIP AND INVOICE F8200336555.exe 32 PID 2476 wrote to memory of 1132 2476 BANK SLIP AND INVOICE F8200336555.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\BANK SLIP AND INVOICE F8200336555.exe"C:\Users\Admin\AppData\Local\Temp\BANK SLIP AND INVOICE F8200336555.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aCFhpb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aCFhpb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp897B.tmp"2⤵
- Creates scheduled task(s)
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\BANK SLIP AND INVOICE F8200336555.exe"C:\Users\Admin\AppData\Local\Temp\BANK SLIP AND INVOICE F8200336555.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53b79c6c21b8a78850df10368df71abef
SHA1cafd782fef7ae698693f1e94739741a3ed1618d5
SHA2566ae3c78f289af15bae2af66d4015df3bfe986c9ff225e4e9f3df2f309d53bb05
SHA5129d50851e7181f38aaf5961eb42750178b9cd9286355e16427cc97f778479ed0cd3556099120b5e43d08886efc35cde9c08f21d686acdc3203a2716fd808c95ba