Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 02:10

General

  • Target

    a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe

  • Size

    593KB

  • MD5

    ca61c16bb94540662facaa6cf7f317f8

  • SHA1

    6fd5af916972136da2bcefb6188d1c11c905ed41

  • SHA256

    a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9

  • SHA512

    a41ebbe793b3d234921656b6ef3df75e500bb115ce3788e1bb4bc57ebda2de0dcbcdea24b51b53d8343e3b60977d2a57c577aef03613694d2c0a7346bac6eb5f

  • SSDEEP

    12288:1oGrkCEw+Is4l8O3d5Gu8y5pSqgsZsFKSB82MiEhB:1oGI3w1l8Ot5Gvy5DKEdB

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe
    "C:\Users\Admin\AppData\Local\Temp\a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Undiaphanousness=Get-Content 'C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Rouilles\Effektiviseret.Dia';$Trafikflyene=$Undiaphanousness.SubString(51750,3);.$Trafikflyene($Undiaphanousness)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1788
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Rouilles\Effektiviseret.Dia

    Filesize

    50KB

    MD5

    fd91c54cfd0dc5ffb898c8c6f497eb88

    SHA1

    c4ffcd13c0a7e9bf4811c19d969cdd6adae83926

    SHA256

    d947ac7f9b2519129e2352c38fef03524c8ea3abfccc968cee8fad3539508cd1

    SHA512

    7075cd28627540323a1212f677b4a8bff6945960e2ff71d6bcd4f4ea68db625b51017c9841fd1db06f156e327fcdc647391ae7d30af3a4fe60dd3be4083b0616

  • C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Undoctrinal.Tri83

    Filesize

    318KB

    MD5

    33bcb10fedd219077c00de12d43139cd

    SHA1

    92090f81150635c2142d09cae191d01c7ff79e0a

    SHA256

    67e412a4be377c5fa0e6d565b0774353e6588f6cd3bbd5774c3d51b0ee20a7a3

    SHA512

    07a6c983e2973743fc6fb86a89d6b649d05436f4c4e6321218c6122eb99afcb9d41a6a53b27f4d2a962ea1b0d9363e0f6811013d7530d3099063f1630466e16a

  • C:\Windows\SysWOW64\bores.lnk

    Filesize

    1KB

    MD5

    364cf955961bb6ef65ef9a0c55cb2b6d

    SHA1

    c9eaa40fa7c5a13f48625275c46fc56d1729dddd

    SHA256

    d868d3e0442ede82e84788663391065460b2605fa71e4b03454bdc35cc7e2c26

    SHA512

    678731a61614a6ebdfe192f3d87ad398458891afcf295361968862209c70d2486d9e3c3e979b2f4e2948bb51fa08dbe4152c5c681843936290bb74dc133bc02d

  • C:\Windows\yer.ini

    Filesize

    38B

    MD5

    e58f8a2dcf15a626bc785906a24d269a

    SHA1

    451f8692070432dbd0232c61631cb49874323fd7

    SHA256

    39b313e3f6e503de2657691e96235891834d12dab42957e62aea1c588c35bc83

    SHA512

    7c33aec2758c72eb727f156ca5946626409a1b2ad22a980801436acacac1bf05eac231a2a0cc2858d369a54cbfa3cafdbd449ce696bf6c8fcecfb53699a75bd3

  • memory/576-97-0x0000000073FE0000-0x000000007458B000-memory.dmp

    Filesize

    5.7MB

  • memory/576-96-0x0000000073FE0000-0x000000007458B000-memory.dmp

    Filesize

    5.7MB

  • memory/576-94-0x0000000073FE0000-0x000000007458B000-memory.dmp

    Filesize

    5.7MB

  • memory/576-95-0x0000000073FE0000-0x000000007458B000-memory.dmp

    Filesize

    5.7MB

  • memory/576-80-0x0000000073FE1000-0x0000000073FE2000-memory.dmp

    Filesize

    4KB

  • memory/576-100-0x00000000066C0000-0x000000000A724000-memory.dmp

    Filesize

    64.4MB

  • memory/576-101-0x0000000073FE0000-0x000000007458B000-memory.dmp

    Filesize

    5.7MB

  • memory/2808-102-0x0000000000780000-0x00000000017E2000-memory.dmp

    Filesize

    16.4MB

  • memory/2808-125-0x0000000000780000-0x00000000017E2000-memory.dmp

    Filesize

    16.4MB

  • memory/2808-126-0x0000000000780000-0x00000000007C0000-memory.dmp

    Filesize

    256KB