Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
02/08/2024, 01:54
General
-
Target
Petikan segera.08.10.2021.xlxs.exe
-
Size
498KB
-
MD5
b6a26b6912def25202d5c5b3a7cef7ef
-
SHA1
c61a6ca3cf061a2ba382a77d5e697f1dea1e99f2
-
SHA256
e4c04b184aebbb0c4cd7533d2432c5a3699ea15e3fdebcaeec49edfea97cfcf1
-
SHA512
754d0f094e3860f5196a041d841ffa7990d1b6a32749dfa5d13920fa13d1956441fb0bea097ee410da84da6d1f67c72a4ecb1e315ca7dc7dd86734e83bdf4f69
-
SSDEEP
12288:rADyL9pD3+r4m5GEh0AGdu768pSIt/cPU0Xnt0m:0+L7DWY60AB7VpS0/AU03t0m
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
mosqueboy100
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Petikan segera.08.10.2021.xlxs.exe"C:\Users\Admin\AppData\Local\Temp\Petikan segera.08.10.2021.xlxs.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Petikan segera.08.10.2021.xlxs.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
6.9MB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
384KB
-
Filesize
6.9MB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB