Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9c198d45b6...d0.exe

windows7-x64

10

9c198d45b6...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    07/08/2024, 01:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe

  • Size

    759KB

  • MD5

    0fb924daed2b6b5f4a33c2b587e3e545

  • SHA1

    8cbc28661676d1b3d85c2824903758b9db765cdf

  • SHA256

    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0

  • SHA512

    44f24051cbc3d574a2695c4f29c9ec74c4e4ea97dfad638f7d597b6d3f4a506a5fdc86f0734ff969df55820ce9e1a3ec961aa99ebd91fdef442ac6048481832b

  • SSDEEP

    12288:Pj2iNeSY+aZrwrJLmN33QC82o5d+qtjMXDgZBiW9EeWGYrBVsx7issZ0rYNUt9sV:714/4rJL9X2o5d+UYzgGW9EtGYrkHsZX

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    evdanco.ru
  • Port:
    587
  • Username:
    oleg@evdanco.ru
  • Password:
    [xkgyDSlzA(_
  • Email To:
    oleg@evdanco.ru

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    "C:\Users\Admin\AppData\Local\Temp\9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JCKVIjWXwSt.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JCKVIjWXwSt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1600.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2900
    • C:\Users\Admin\AppData\Local\Temp\9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
      "C:\Users\Admin\AppData\Local\Temp\9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe"
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2760

Network

  • flag-us
    DNS
    api.ipify.org
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.12.205
  • flag-us
    GET
    https://api.ipify.org/
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    Remote address:
    104.26.13.205:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 07 Aug 2024 01:54:40 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8af3a3dbee9d48ce-LHR
  • flag-us
    DNS
    ip-api.com
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 07 Aug 2024 01:54:40 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    evdanco.ru
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    Remote address:
    8.8.8.8:53
    Request
    evdanco.ru
    IN A
    Response
    evdanco.ru
    IN A
    80.96.42.133
  • 104.26.13.205:443
    https://api.ipify.org/
    tls, http
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    867 B
     3.5kB
     9
    9

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    310 B
     347 B
     5
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 80.96.42.133:587
    evdanco.ru
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    152 B
     3
  • 8.8.8.8:53
    api.ipify.org
    dns
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    104.26.13.205
    172.67.74.152
    104.26.12.205

  • 8.8.8.8:53
    ip-api.com
    dns
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    evdanco.ru
    dns
    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0.exe
    56 B
     72 B
     1
    1

    DNS Request

    evdanco.ru

    DNS Response

    80.96.42.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1600.tmp
    Filesize

    1KB

    MD5

    00d29004ea6495c9658df45817e2d8ec

    SHA1

    ab3bb75d7e820eb03e4463c8c29c9e1aeeb42ee8

    SHA256

    a99ee2f3949b1e569c6f16c3337a67d7c1d7dcfbdf564996ad8fd5216d371093

    SHA512

    58cb91d26bb491f169b44c658b39132fda973173f0840e917cd1e6a487a0452cb3ae788706f35c5c4255ed8b1ba4c0629db7001102bf5b64d5a72aad8a9324e8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    26d2d9c717f557ef6d12f36dc06389ee

    SHA1

    c920b11eeac05cf8d0cb4bf8a23fba730059939c

    SHA256

    f49caca0ed345969b22071ba5707e8570974b28e0faeee3d15ff5a4a511c00fb

    SHA512

    f5995f61beba6cebbce7b2ca8cd225d6408fd9953a128c19eb8f8c46dac7de07734c43bfa383018f52f57193154bf46c5be1a12c302498693d7438fb33393890

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VsUPptm\VsUPptm.exe
    Filesize

    759KB

    MD5

    0fb924daed2b6b5f4a33c2b587e3e545

    SHA1

    8cbc28661676d1b3d85c2824903758b9db765cdf

    SHA256

    9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0

    SHA512

    44f24051cbc3d574a2695c4f29c9ec74c4e4ea97dfad638f7d597b6d3f4a506a5fdc86f0734ff969df55820ce9e1a3ec961aa99ebd91fdef442ac6048481832b

    Download Submit

  • memory/2708-32-0x0000000073FB0000-0x000000007469E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2708-1-0x0000000000930000-0x00000000009F4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/2708-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2708-3-0x00000000003E0000-0x00000000003F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2708-4-0x0000000000470000-0x000000000047A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2708-5-0x00000000004C0000-0x00000000004CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2708-6-0x0000000004D00000-0x0000000004D8A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2708-7-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2708-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2760-20-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2760-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2760-30-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2760-31-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2760-26-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2760-24-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2760-29-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2760-22-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.