Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
PO 20078990017432988476.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PO 20078990017432988476.exe
Resource
win10v2004-20240221-en
General
-
Target
PO 20078990017432988476.exe
-
Size
722KB
-
MD5
31bd10b45a914ae0a1970a09841ca2d9
-
SHA1
179a360096552c8940107052bb5d1aa216f36f72
-
SHA256
698fe043efc551bc9c522c8fbc38de3faeefa94a5ce5592863bacbda611f04e0
-
SHA512
db8cad54866691607c9f47432aaaf6aa97faa1894a7b5bca623c7991c8a021971766302d731df3a090768e96a946a336805af3a5102f16e4237e48a38d650207
-
SSDEEP
12288:flW3YDmzBh35cqFnG0/D0HPddOBQEYrDTm60aa3C7X/SpIkR:KBvZb0HlsBQXPi60N3C7i
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.flecon.com.sg - Port:
587 - Username:
[email protected] - Password:
8CJN6A87XUIU - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1544 set thread context of 2424 1544 PO 20078990017432988476.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1544 PO 20078990017432988476.exe 1544 PO 20078990017432988476.exe 1544 PO 20078990017432988476.exe 1544 PO 20078990017432988476.exe 2424 PO 20078990017432988476.exe 2424 PO 20078990017432988476.exe 2632 powershell.exe 2648 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1544 PO 20078990017432988476.exe Token: SeDebugPrivilege 2424 PO 20078990017432988476.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1544 wrote to memory of 2632 1544 PO 20078990017432988476.exe 28 PID 1544 wrote to memory of 2632 1544 PO 20078990017432988476.exe 28 PID 1544 wrote to memory of 2632 1544 PO 20078990017432988476.exe 28 PID 1544 wrote to memory of 2632 1544 PO 20078990017432988476.exe 28 PID 1544 wrote to memory of 2648 1544 PO 20078990017432988476.exe 30 PID 1544 wrote to memory of 2648 1544 PO 20078990017432988476.exe 30 PID 1544 wrote to memory of 2648 1544 PO 20078990017432988476.exe 30 PID 1544 wrote to memory of 2648 1544 PO 20078990017432988476.exe 30 PID 1544 wrote to memory of 2540 1544 PO 20078990017432988476.exe 33 PID 1544 wrote to memory of 2540 1544 PO 20078990017432988476.exe 33 PID 1544 wrote to memory of 2540 1544 PO 20078990017432988476.exe 33 PID 1544 wrote to memory of 2540 1544 PO 20078990017432988476.exe 33 PID 1544 wrote to memory of 2404 1544 PO 20078990017432988476.exe 34 PID 1544 wrote to memory of 2404 1544 PO 20078990017432988476.exe 34 PID 1544 wrote to memory of 2404 1544 PO 20078990017432988476.exe 34 PID 1544 wrote to memory of 2404 1544 PO 20078990017432988476.exe 34 PID 1544 wrote to memory of 2424 1544 PO 20078990017432988476.exe 35 PID 1544 wrote to memory of 2424 1544 PO 20078990017432988476.exe 35 PID 1544 wrote to memory of 2424 1544 PO 20078990017432988476.exe 35 PID 1544 wrote to memory of 2424 1544 PO 20078990017432988476.exe 35 PID 1544 wrote to memory of 2424 1544 PO 20078990017432988476.exe 35 PID 1544 wrote to memory of 2424 1544 PO 20078990017432988476.exe 35 PID 1544 wrote to memory of 2424 1544 PO 20078990017432988476.exe 35 PID 1544 wrote to memory of 2424 1544 PO 20078990017432988476.exe 35 PID 1544 wrote to memory of 2424 1544 PO 20078990017432988476.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 20078990017432988476.exe"C:\Users\Admin\AppData\Local\Temp\PO 20078990017432988476.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO 20078990017432988476.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IqTgicbK.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IqTgicbK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F22.tmp"2⤵
- Creates scheduled task(s)
PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\PO 20078990017432988476.exe"C:\Users\Admin\AppData\Local\Temp\PO 20078990017432988476.exe"2⤵PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\PO 20078990017432988476.exe"C:\Users\Admin\AppData\Local\Temp\PO 20078990017432988476.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fe9e4efc8346ee7b9619b658d54e6ea2
SHA1f06b2bc9800d162046e240692a40408c3209175d
SHA2565e20f8176767c7baac24a0870d87922a6c7fe377d6530e617ff3c86e8a021e1b
SHA5129abc94dc4a899d4f0432b53acb9fca8806bf11f18e1e8f63f3bf9b4204c4efe0d81eeab53db46fc9f2119d1bbd30c46852eb9f06de037b0b35d6a85ef1f46b76
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a297b8d0b448d77e692107da2cedc484
SHA1b59489ccfec8e4a74a9913473c8a829ac66bafde
SHA256b75bdb4a0afda410f26f6d0c71601b782031ecd633748377b01248dabb75aca0
SHA51275882fe51388d4a2a9006553774cfa9bac72892eb85ee55dfbe3ef2693f1f358c35c3a85f4b897fad97954692b9e2bd57e8e2ad3145321c8e4b5ebb4f9d07c5c