Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/05/2024, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe
Resource
win11-20240419-en
General
-
Target
7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe
-
Size
538KB
-
MD5
a0571911e8977fb94b93b2f0deb45137
-
SHA1
fce8528ee324b7adb81b73ed909ec1c5e33794ad
-
SHA256
7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5
-
SHA512
9a8d21d775b38e91921f0beb8db3a7c97b89b376be51a2d557fab7c898b5448de92838462cba4776196f76aeed5b0091cc8ea21bb231a420c8804aae3813166e
-
SSDEEP
12288:Wn0AAXRPZuw2l8orxdBv0kdgkSZF8ZF/+PS3Dasb6j8l1PBK:JAAb2Bik2tZFuM63D5WjqI
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
qwbf ljzv fdna xpfx
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
qwbf ljzv fdna xpfx - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL 2 IoCs
pid Process 4476 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe 4476 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 api.ipify.org 3 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 860 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4476 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe 860 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4476 set thread context of 860 4476 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 860 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe 860 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4476 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 860 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 860 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4476 wrote to memory of 860 4476 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe 81 PID 4476 wrote to memory of 860 4476 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe 81 PID 4476 wrote to memory of 860 4476 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe 81 PID 4476 wrote to memory of 860 4476 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe 81 PID 4476 wrote to memory of 860 4476 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe"C:\Users\Admin\AppData\Local\Temp\7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe"C:\Users\Admin\AppData\Local\Temp\7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52B
MD5ea70cc86528476e4f1225362996952a6
SHA193851680188ae3f06e0b419fa5afe38de41b84eb
SHA25686ecd210e4942095595b70f160ce629c222229b154e64cf97295beb83ade9f63
SHA51286c4fe02a63c61776b1cda0bca20e87f97a0103d0e9e914e913a5047d2660a804f18a754029f4d1877010d9027968c20107862da56e0033529f9d58a26cde836
-
Filesize
54B
MD58e69760955a717be873f8253ebc6905b
SHA1c813b0cc54451465777460ef2f46bc98c273c739
SHA2563159fb26988fd82c5a652bdf09e65bb021011a4f8953f009c0a7d893149a9c8e
SHA51216de94f841400aeffd2b67ca45e807da10023229f667f746b8fc7b127c347d843ff51b822191e656a94b63d8c8187c928d40113914d34570136c878b64279600
-
Filesize
74B
MD516d513397f3c1f8334e8f3e4fc49828f
SHA14ee15afca81ca6a13af4e38240099b730d6931f0
SHA256d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA5124a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3
-
Filesize
11B
MD5bad78a997013818e85c1091ce1f575e0
SHA1fa7b6b576c9b365194a222dfd1d3805121544fd3
SHA256e40f87ab67d67e6a7c1784127b0bdeaa1a053cbc50cbb8155cb469016537513d
SHA512c2f336b68df9aa5234282eb83c042ff87a0187cbd903739bbcbedd6c30be7807d9cd40f97ccd0196d5bdc84833b796197a832687e99da48f1d370d3875bface4
-
Filesize
19B
MD5a82a5da452642ddab3a7ee07f7c408df
SHA1cf937f2e7e57c21beaf57a2b7e0c4b77f37c63f7
SHA25684911471a6124a186d240b3b67eed83ba5a0a7cb911eefc790712d936c83d568
SHA51273ed822f62f762e6e8902b4a5c31ea9a0501926d2dd512f5e5285d39fa8b31e82e61294c99c341e0f2046d0cb0351396e8d97afc0ddc71d37c9b680cf757f5a0
-
Filesize
51B
MD525e25dd5339a5ffa3029882c78781ba5
SHA14a3f9570af7ac769c1ed9f3f6635610f580f25a2
SHA25695d99ced3262b6abe20846c575046294e0cace752cab5ab2067c4b78982ab61b
SHA5127c5ad14c5c038c871576fadd2f7ca1c04425fe7536c0e94e7817197ec43a732369b31ef42ef194c2e44b52dfb55237a3b6a5663e17b106482a7a22f1434f2bb0
-
Filesize
53B
MD56601def372fd604346cc14113dbe6c2f
SHA155b5e2406ef28e7c45a60acc6f90795cc088493d
SHA256f4bf549b30bb96f31c7aec31e319438324daac5f7483e906beadb08ce285bb0c
SHA5124eae5d296860b66377467aea0e6b6077f2bd993c151c29e2d1428c1d262c49ab4f8ef91cc6a7857f9054a1c86c59f08b8d9168754f5e66f021c2d4a05fffb451
-
Filesize
52B
MD55d04a35d3950677049c7a0cf17e37125
SHA1cafdd49a953864f83d387774b39b2657a253470f
SHA256a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b
-
Filesize
56B
MD5e57219d5147cb8918c21a7d88b86c614
SHA164c602c9c0084e003cc94e7c2c3a13f525e123e1
SHA2560250901b65d81e9e1a667a2e9e269724f85f45d9cb94cfe707b537b764a41df2
SHA512286f7fd8bb8db603ac4eeb16dc86718e91718c4e498fded8eea4bf706c4e63cec2161800f60f67bd2bd6dcd60015cb3f46fd9c99f98715fdf73d428b963ee100
-
Filesize
20B
MD5981d979ec49cb64b078f50013c191acd
SHA118f103644da4913b96391b7d457ded5706e4d0f2
SHA256f4e95849a9bf43f048e70b6beb4716762d41fd3efcb59bc58923386a6e3aeb5b
SHA512d2901d088095cfb15227db5b49f510591e3480be1d4bd16991e794347657bcc4e1e940834961a09d9eaf48c3224886b850973a8eff9cd3ee74f7eec622bb6eba
-
Filesize
60B
MD598b5cbda2eee757c64c0a37581a2242e
SHA10299d8182adeccf47ff2cb1ca1d146b61478a236
SHA256b65159dfd5ab684ea4c7af9f5a8c37d26d62bccfbc603fc89fdbc77b0b1702ab
SHA51250ffab70da4ac2af26d9134eba6823684ba22bead90c8afb4380fdcf5dae931c2bc2231dc668b5203b8946046983fbd9893d3f7a26fcad1c9772c808e3b9e406
-
Filesize
25B
MD58862560e881d6575fee3adfb711d1c11
SHA1b936ab218e307ea1dd7da7e3f3e0f727f15ee80d
SHA256b06ac7eb718baa0f71c83a46cf55b5a1368d93fd3e2007fc6047b4854f3090fe
SHA5124ddd950a2da0b1c9fecf29fa48d1ac1847f4461bca2fc58f38d2af44657f810e07a8383878dc06a803d5ac77450f5fc90865551f7aea85b48ca97eb0022228b4
-
Filesize
30B
MD5f15bfdebb2df02d02c8491bde1b4e9bd
SHA193bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA5121757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1
-
Filesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390