Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2024, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
Overdue Account.pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Overdue Account.pdf.exe
Resource
win10v2004-20240426-en
General
-
Target
Overdue Account.pdf.exe
-
Size
670KB
-
MD5
81937e479c70381a7527b21693ab3e6c
-
SHA1
fbac04ef1e0315bff71d908496309d731da30c75
-
SHA256
e48b7b9ba50d500f569024126a2ff8981db13525ff378ea2151ce8d6b7e4e452
-
SHA512
35b56dce2a110c145a4c4bef02a5e0151835ea1f1d64891e346f77bf3ce4a3cae2b81f098e819183a2f664f28997845a22b071805e76c97a009b2f6241bbaded
-
SSDEEP
12288:PBB778QJ5RBdmrRwANBlJi/l/XbBzN5L/ObdOC0uCnGbmSAnJGXuY7GzkR:ZBDB0rqclJeNvL/EpV5bmJKu0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.nooshdaroodc.com - Port:
587 - Username:
[email protected] - Password:
Nou$h@Darou - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Overdue Account.pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2008 set thread context of 3844 2008 Overdue Account.pdf.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2008 Overdue Account.pdf.exe 2008 Overdue Account.pdf.exe 2008 Overdue Account.pdf.exe 2008 Overdue Account.pdf.exe 2008 Overdue Account.pdf.exe 2008 Overdue Account.pdf.exe 1136 powershell.exe 3164 powershell.exe 2008 Overdue Account.pdf.exe 2008 Overdue Account.pdf.exe 2008 Overdue Account.pdf.exe 3844 RegSvcs.exe 3844 RegSvcs.exe 1136 powershell.exe 3164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2008 Overdue Account.pdf.exe Token: SeDebugPrivilege 1136 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 3844 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1136 2008 Overdue Account.pdf.exe 86 PID 2008 wrote to memory of 1136 2008 Overdue Account.pdf.exe 86 PID 2008 wrote to memory of 1136 2008 Overdue Account.pdf.exe 86 PID 2008 wrote to memory of 3164 2008 Overdue Account.pdf.exe 88 PID 2008 wrote to memory of 3164 2008 Overdue Account.pdf.exe 88 PID 2008 wrote to memory of 3164 2008 Overdue Account.pdf.exe 88 PID 2008 wrote to memory of 4568 2008 Overdue Account.pdf.exe 90 PID 2008 wrote to memory of 4568 2008 Overdue Account.pdf.exe 90 PID 2008 wrote to memory of 4568 2008 Overdue Account.pdf.exe 90 PID 2008 wrote to memory of 2924 2008 Overdue Account.pdf.exe 92 PID 2008 wrote to memory of 2924 2008 Overdue Account.pdf.exe 92 PID 2008 wrote to memory of 2924 2008 Overdue Account.pdf.exe 92 PID 2008 wrote to memory of 3844 2008 Overdue Account.pdf.exe 93 PID 2008 wrote to memory of 3844 2008 Overdue Account.pdf.exe 93 PID 2008 wrote to memory of 3844 2008 Overdue Account.pdf.exe 93 PID 2008 wrote to memory of 3844 2008 Overdue Account.pdf.exe 93 PID 2008 wrote to memory of 3844 2008 Overdue Account.pdf.exe 93 PID 2008 wrote to memory of 3844 2008 Overdue Account.pdf.exe 93 PID 2008 wrote to memory of 3844 2008 Overdue Account.pdf.exe 93 PID 2008 wrote to memory of 3844 2008 Overdue Account.pdf.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Overdue Account.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Overdue Account.pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Overdue Account.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kpSYqS.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kpSYqS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp94ED.tmp"2⤵
- Creates scheduled task(s)
PID:4568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD52085b9dda3403c0b769280912cddccd0
SHA11f9611ccf9c307cd9e603c1f3a37eb38a3d66be4
SHA25601ad680c134feb32049d9a558024c16d319ddcfb774f8d0a63a7967d07208a55
SHA51240938027a78cfac24736a05fdef344fbca5c2121ed3ebcd5f5aeeb13b42bc675e102e34a804d523f84fea47ff5ee8f0612b9e15cb62de264d21d65fef3352f95
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD504e31a34b7837d487f98cb62d3d381fd
SHA117d9ab4c95ee9cab9e1b1635cedde45e024a0d6f
SHA256316834d4dbfae52f01a4b9e9f5a7f68a7e02679369acbeb5a54d9628792e196b
SHA51265539c13b5a9904a1e23b31aba6fb4b7195ebf9504dca63eaf0cdc576e395edab01a7878843e7a7724f025c0c20384d1aab4469e03f15b6b75e28be09209a79d