Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Payment Advice.exe

windows7-x64

10

Payment Advice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Advice.exe

  • Size

    702KB

  • MD5

    85614b7101c98396ed9fdc14222e563b

  • SHA1

    cbc9f72d36818e6c1918c86bc56178f92802d7b1

  • SHA256

    98206390a847ef2600f916f0076f687d5261ff98ca02b5292fdf44017ca0e006

  • SHA512

    c123cc701be5ac9a667f3b2617fdb25996f6b46b3aca1cac027d14e76fda4d9a71b17031bcc6dbaf2bc5455184e59377fa39d72cccf133d384523419cbd47fa0

  • SSDEEP

    12288:Wb/1eJ5e7nzXD1uARs1XbQfzQfDKDFHtX9dW323tfZXOdaG9uq3kR:Wb/gJgDsR1r4zVXHtBXOf9uqi

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.lamcopaper.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    @@Lppc11988

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4984
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NrbWmxiTaucKrw.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NrbWmxiTaucKrw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AAC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3676
    • C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
      2⤵
        PID:3092
      • C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
        2⤵
          PID:1912
        • C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
          "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
          2⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        68c64b99a7853c2c3e5524fec4ed89d2

        SHA1

        ce1ac1893bc58e790f6def9099bf05f7fe3b2e84

        SHA256

        6cc44390946afab77f5021e6d535931f28593c4c55b47ef4176a92b925b15fa5

        SHA512

        5434e7fb12616c8a64f431397c449304222d5cf0e9fb542bc66c6ac689b9d28d6db1864e303246c8d8b541a12661280ba3ca9a574d08996336528511da1db805

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jl5svtlt.wld.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp6AAC.tmp
        Filesize

        1KB

        MD5

        5c9566a0467372ce6368e406d32e3ed6

        SHA1

        9b6b340aa5a47a41e6819dfdea0ce2747df03ce4

        SHA256

        7dff0273fb794400d0b8c147dbc707022c388a69a418ca597f527fe23b82c4c5

        SHA512

        2d838350510c55ba6f084efb57b9de6ecbe4985faa5a8a781bfab10ca700b57eea410d63a9204bd00b7ec2945da383a829277099c4f81a5e8426a60ac07d8996

        Download Submit

      • memory/2596-78-0x0000000007A00000-0x0000000007AA3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2596-21-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2596-52-0x00000000067E0000-0x00000000067FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2596-53-0x0000000006D40000-0x0000000006D8C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2596-84-0x0000000007CF0000-0x0000000007D01000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2596-73-0x0000000006D90000-0x0000000006DAE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2596-28-0x0000000006110000-0x0000000006176000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2596-57-0x00000000756A0000-0x00000000756EC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2596-80-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2596-96-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2596-23-0x0000000005330000-0x0000000005340000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2596-19-0x0000000005970000-0x0000000005F98000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2596-86-0x0000000007D30000-0x0000000007D44000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2596-22-0x0000000005330000-0x0000000005340000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3516-11-0x0000000005C60000-0x0000000005CE4000-memory.dmp

        Filesize

        528KB

        Download

      • memory/3516-2-0x00000000050B0000-0x0000000005654000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3516-0-0x00000000001F0000-0x00000000002A2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/3516-5-0x0000000004C40000-0x0000000004F94000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3516-3-0x0000000004BA0000-0x0000000004C32000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3516-12-0x0000000008270000-0x000000000830C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3516-1-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3516-8-0x0000000005830000-0x0000000005844000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3516-10-0x0000000005BC0000-0x0000000005BCC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3516-4-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3516-9-0x0000000005BA0000-0x0000000005BA8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3516-50-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3516-7-0x0000000005810000-0x000000000581A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3516-6-0x0000000004FA0000-0x000000000503E000-memory.dmp

        Filesize

        632KB

        Download

      • memory/3680-44-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3680-27-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3680-98-0x0000000004F60000-0x0000000004F70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3680-97-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3680-87-0x00000000064E0000-0x0000000006530000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3680-51-0x0000000004F60000-0x0000000004F70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4984-26-0x0000000005400000-0x0000000005422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4984-88-0x0000000007A40000-0x0000000007A5A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4984-29-0x0000000005D40000-0x0000000005DA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4984-81-0x0000000007770000-0x000000000777A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4984-83-0x0000000007980000-0x0000000007A16000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4984-56-0x00000000069D0000-0x0000000006A02000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4984-85-0x0000000007930000-0x000000000793E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4984-25-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4984-55-0x000000007F940000-0x000000007F950000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4984-79-0x0000000007D40000-0x00000000083BA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4984-89-0x0000000007A20000-0x0000000007A28000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4984-24-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4984-18-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4984-95-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4984-17-0x0000000004E30000-0x0000000004E66000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4984-54-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4984-58-0x00000000756A0000-0x00000000756EC000-memory.dmp

        Filesize

        304KB

        Download