Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 09:44
Static task
static1
Behavioral task
behavioral1
Sample
lee.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
lee.exe
Resource
win10v2004-20240226-en
General
-
Target
lee.exe
-
Size
648KB
-
MD5
d5fda8517a450948764da4b1618f831e
-
SHA1
fe469fa291b9650d44eb331857ba206fb26f18b5
-
SHA256
f80634354eaa11b9bd3c8cc13f1dbd03b4b3b73de43bc6101ce99b05ffab4660
-
SHA512
323a184e5a1f44df66b5acfb833688ab1caf877a8c565acd517b01400a5032530d7026fed2d45448b887e5ea031d20628c44e459557a776861e3142448306f1f
-
SSDEEP
12288:llPloOJRYWqKpyxVTEVY4j5ChbyoZT1fNfhsPetrFPehIPf5OoGhV1FnmxmrS3tN:H9oOJbNedEVd8hy85sOPehgO9hV1p0tN
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
sg2plcpnl0128.prod.sin2.secureserver.net - Port:
587 - Username:
[email protected] - Password:
]EMe[F7b^j@[ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2040 lee.exe 2580 powershell.exe 2984 powershell.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe 2040 lee.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2040 lee.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2580 2040 lee.exe 28 PID 2040 wrote to memory of 2580 2040 lee.exe 28 PID 2040 wrote to memory of 2580 2040 lee.exe 28 PID 2040 wrote to memory of 2580 2040 lee.exe 28 PID 2040 wrote to memory of 2984 2040 lee.exe 30 PID 2040 wrote to memory of 2984 2040 lee.exe 30 PID 2040 wrote to memory of 2984 2040 lee.exe 30 PID 2040 wrote to memory of 2984 2040 lee.exe 30 PID 2040 wrote to memory of 3008 2040 lee.exe 31 PID 2040 wrote to memory of 3008 2040 lee.exe 31 PID 2040 wrote to memory of 3008 2040 lee.exe 31 PID 2040 wrote to memory of 3008 2040 lee.exe 31 PID 2040 wrote to memory of 2372 2040 lee.exe 34 PID 2040 wrote to memory of 2372 2040 lee.exe 34 PID 2040 wrote to memory of 2372 2040 lee.exe 34 PID 2040 wrote to memory of 2372 2040 lee.exe 34 PID 2040 wrote to memory of 2372 2040 lee.exe 34 PID 2040 wrote to memory of 2372 2040 lee.exe 34 PID 2040 wrote to memory of 2372 2040 lee.exe 34 PID 2040 wrote to memory of 2372 2040 lee.exe 34 PID 2040 wrote to memory of 2372 2040 lee.exe 34 PID 2040 wrote to memory of 2372 2040 lee.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\lee.exe"C:\Users\Admin\AppData\Local\Temp\lee.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\lee.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HGvzWiTHEFaX.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HGvzWiTHEFaX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A42.tmp"2⤵
- Creates scheduled task(s)
PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59840ceb29c73d3f86b208983e1baf6d9
SHA1c6d7d90010b9c0f91f22e51c85a3b14ae0725060
SHA256ebfd704acfd7f6d68cd70dd53341ac73bd124e14ea4ecb515def98bf6e85265d
SHA512d91a09a6e942cd5f99597d48c1ec3b002a62166b3232d74f95ebf38a601243065f7be4a7ed2f89ec3a7a9433074634373e9e50ccde5f7c7c2ecbf73f18067d2c