Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    27s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/04/2024, 06:57

General

  • Target

    766a562fe164c48e8eb60dd8b86fd87f6da0cbf5.rtf

  • Size

    298KB

  • MD5

    f66e1b62a4f55ba19195bbe77d9904da

  • SHA1

    766a562fe164c48e8eb60dd8b86fd87f6da0cbf5

  • SHA256

    2ebdaca8f32c4919206a9ea812cac3eb39517ac9d2b1d535900d3c16faf1b716

  • SHA512

    982b3211c03c6554c1d6ac711b54fea077402bbb316bf9972187c8163aebb3e4c8d60408c4abe5b7517a8442b7c726b58013d5d438c9d5d29ba45ecc767d77a7

  • SSDEEP

    3072:+sXvKMEesXvKMEesXvKMEesXvKME7N7k2i+mxQX7b5I:zKMeKMeKMeKMECBOX7b5I

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\766a562fe164c48e8eb60dd8b86fd87f6da0cbf5.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:856
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Users\Admin\AppData\Roaming\perospmouhj7549.scr
        "C:\Users\Admin\AppData\Roaming\perospmouhj7549.scr"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\perospmouhj7549.scr"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2452
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yvThfdTo.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1536
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yvThfdTo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA4E7.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:1888
        • C:\Users\Admin\AppData\Roaming\perospmouhj7549.scr
          "C:\Users\Admin\AppData\Roaming\perospmouhj7549.scr"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA4E7.tmp

      Filesize

      1KB

      MD5

      0f7cf85ec9d89a4ae186e4b1b8e3924f

      SHA1

      e5c074388179837e8c87355490db437177d4a5c5

      SHA256

      d35587e15a9ede94236f4b2ae5d6b2ded53c31413e2034ea0187260a4e9cc288

      SHA512

      9d150c15589c7efad7b6eaefbf2a5763027dc748b1ee82f1df263923859706132d5907c77bb0b36522b6bdae9f69213e7fbf242ef38a06b8476bda658816a158

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      ce894d4faf1c1b33f4d8a62c72561db2

      SHA1

      438e5d88ddeb43031b34eddd998581443adcfca6

      SHA256

      688f82705f01fb60df8970c30228982acce7ccb746f1b7cc6134ead2590fdd5f

      SHA512

      6da3b1ff8d1528ea5c5496ea078036d79e1d2502f506a909034b198bae5172a2464ddbad17f1da3d7a43007224d12c85e645d68043c1fdf60af8221be179b064

    • \Users\Admin\AppData\Roaming\perospmouhj7549.scr

      Filesize

      663KB

      MD5

      cf4352dd6669e3fa815021ce77e32e83

      SHA1

      d713d6f7f908be72b8aba44087484e084d0b41cd

      SHA256

      4ad1b72070f623a5ac980906658f86cd69f690694028defcfdf161f4bfaff7fc

      SHA512

      53c29ff62fa5ab296f66efd0a296bf38026b083ed653ef8b13af31431cf0654fc9611b46bef7a410c07ffa6990352bdb1da6bc9cecdb19ce5c2d8a2fbce84634

    • memory/1536-83-0x00000000664E0000-0x0000000066A8B000-memory.dmp

      Filesize

      5.7MB

    • memory/1536-78-0x00000000026F0000-0x0000000002730000-memory.dmp

      Filesize

      256KB

    • memory/1536-77-0x00000000664E0000-0x0000000066A8B000-memory.dmp

      Filesize

      5.7MB

    • memory/1536-71-0x00000000664E0000-0x0000000066A8B000-memory.dmp

      Filesize

      5.7MB

    • memory/1536-80-0x00000000026F0000-0x0000000002730000-memory.dmp

      Filesize

      256KB

    • memory/2164-0-0x000000002F461000-0x000000002F462000-memory.dmp

      Filesize

      4KB

    • memory/2164-2-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

    • memory/2164-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2164-75-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

    • memory/2452-79-0x0000000001B50000-0x0000000001B90000-memory.dmp

      Filesize

      256KB

    • memory/2452-81-0x0000000001B50000-0x0000000001B90000-memory.dmp

      Filesize

      256KB

    • memory/2452-82-0x00000000664E0000-0x0000000066A8B000-memory.dmp

      Filesize

      5.7MB

    • memory/2452-73-0x0000000001B50000-0x0000000001B90000-memory.dmp

      Filesize

      256KB

    • memory/2452-72-0x00000000664E0000-0x0000000066A8B000-memory.dmp

      Filesize

      5.7MB

    • memory/2628-39-0x0000000000510000-0x0000000000518000-memory.dmp

      Filesize

      32KB

    • memory/2628-41-0x0000000004870000-0x00000000048F2000-memory.dmp

      Filesize

      520KB

    • memory/2628-30-0x00000000013C0000-0x0000000001468000-memory.dmp

      Filesize

      672KB

    • memory/2628-70-0x000000006B920000-0x000000006C00E000-memory.dmp

      Filesize

      6.9MB

    • memory/2628-31-0x000000006B920000-0x000000006C00E000-memory.dmp

      Filesize

      6.9MB

    • memory/2628-32-0x0000000004DE0000-0x0000000004E20000-memory.dmp

      Filesize

      256KB

    • memory/2628-37-0x0000000000490000-0x00000000004A2000-memory.dmp

      Filesize

      72KB

    • memory/2628-40-0x0000000000560000-0x000000000056C000-memory.dmp

      Filesize

      48KB

    • memory/2732-60-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2732-56-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2732-76-0x000000006B920000-0x000000006C00E000-memory.dmp

      Filesize

      6.9MB

    • memory/2732-54-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2732-74-0x0000000004D20000-0x0000000004D60000-memory.dmp

      Filesize

      256KB

    • memory/2732-58-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2732-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2732-64-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2732-69-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2732-67-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB