Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

579e14e67d...69.exe

windows7-x64

10

579e14e67d...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2024, 03:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    579e14e67dedb45ea3b315a678450891a931387f884bb196407defc567604969.exe

  • Size

    636KB

  • MD5

    9c1dbd904a8ef4ea3b9e780215d4b5cd

  • SHA1

    525e03b33d5b9796c76ae2428448acfea3a66525

  • SHA256

    579e14e67dedb45ea3b315a678450891a931387f884bb196407defc567604969

  • SHA512

    228edc0b70c250a62411bea9c7238a4d9359fe8982de56e4db08eacdd26041fb9f43138ffed051ff4b67ef03fe5d8fb0bdd49d1e7052382fe4412bfc38d58c07

  • SSDEEP

    12288:MOL+xEd66WXUAoFHDPdzxFdyrxbHsa0X0K85My2FHybNIZFlICgBcPA:fCxcvWXvoFjPdzx+bx/eyiANIj7NPA

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\579e14e67dedb45ea3b315a678450891a931387f884bb196407defc567604969.exe
    "C:\Users\Admin\AppData\Local\Temp\579e14e67dedb45ea3b315a678450891a931387f884bb196407defc567604969.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\579e14e67dedb45ea3b315a678450891a931387f884bb196407defc567604969.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aYqAzNBNdABKH.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aYqAzNBNdABKH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp37A4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2672
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp37A4.tmp
    Filesize

    1KB

    MD5

    a7ecba19926d446c15b330725b16efa4

    SHA1

    3b06d93dceb6e4931c9560e719775bcee3e7209b

    SHA256

    019f7ba3f9f0a0e33ace316e720292062cabbc61f53e5ddba3c20e876b6e8c7b

    SHA512

    a0dbe4ee474f930d75c58ef9877e808fa8747cbc9d8513f1ab3340e6a61c76e9e8a9be698a21565dfbdd007aeec7132331f3c3348a7a74598a2543561d2bf7ea

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    83f7f4f81230d88d3b8b71bb04029a02

    SHA1

    22cdd64f409807a9e443b54c861a67efb91d510f

    SHA256

    959b53b427e7863d3c2cacdce9336db22aea0fe55e330330eaa1f6826dcbe80f

    SHA512

    3a4c2f79d48db3512d79cb8b0544c852d32d9994a959b7c92e29f00d2679cb9a55722c85d78171871397cd8276be9993e1263f0151902542db2678b415febdf4

    Download Submit

  • memory/2584-29-0x0000000002B10000-0x0000000002B50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2584-23-0x000000006E890000-0x000000006EE3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2584-45-0x000000006E890000-0x000000006EE3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2584-32-0x0000000002B10000-0x0000000002B50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2584-19-0x000000006E890000-0x000000006EE3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2728-44-0x000000006E890000-0x000000006EE3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2728-34-0x0000000002DC0000-0x0000000002E00000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2728-27-0x0000000002DC0000-0x0000000002E00000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2728-20-0x000000006E890000-0x000000006EE3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2728-21-0x0000000002DC0000-0x0000000002E00000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2728-25-0x000000006E890000-0x000000006EE3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2816-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2816-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2816-61-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2816-60-0x00000000746D0000-0x0000000074DBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2816-43-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2816-36-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2816-42-0x00000000746D0000-0x0000000074DBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2816-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2816-41-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2816-22-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2816-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2816-39-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2904-38-0x00000000746D0000-0x0000000074DBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2904-6-0x0000000004E50000-0x0000000004ED2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2904-2-0x0000000004E10000-0x0000000004E50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2904-0-0x0000000000E10000-0x0000000000EB6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/2904-5-0x00000000002F0000-0x00000000002FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2904-4-0x00000000002E0000-0x00000000002EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2904-3-0x00000000002A0000-0x00000000002B4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2904-1-0x00000000746D0000-0x0000000074DBE000-memory.dmp

    Filesize

    6.9MB

    Download