Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlsx

  • Size

    675KB

  • Sample

    240607-bzgakafd3x

  • MD5

    71e83cfe190375b478e42933ac4e1997

  • SHA1

    bd4ce42a4599837b7a819e41ab740881f2f9bbd1

  • SHA256

    4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0

  • SHA512

    a7a1fb14380353be5200ab7360a7338b8fe93f93f614faa03cfc296a9f87a7c8188cd09ecc06ef30192ffcbd8d4da25b95dae77d70a12755769e232dd6d82bb3

  • SSDEEP

    12288:DQnWa/bT29nrmgHgFSPn643Cyne30ZPN9P2X9CcDhZ28mGEWOVPJ9u0aJ2BrupA+:sMAs6A1e3of2XM01mtVxEpQBrdGDYw

Malware Config

Targets

    • Target

      4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlsx

    • Size

      675KB

    • MD5

      71e83cfe190375b478e42933ac4e1997

    • SHA1

      bd4ce42a4599837b7a819e41ab740881f2f9bbd1

    • SHA256

      4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0

    • SHA512

      a7a1fb14380353be5200ab7360a7338b8fe93f93f614faa03cfc296a9f87a7c8188cd09ecc06ef30192ffcbd8d4da25b95dae77d70a12755769e232dd6d82bb3

    • SSDEEP

      12288:DQnWa/bT29nrmgHgFSPn643Cyne30ZPN9P2X9CcDhZ28mGEWOVPJ9u0aJ2BrupA+:sMAs6A1e3of2XM01mtVxEpQBrdGDYw

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks