Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

M.V ELITE ...cr.exe

windows7-x64

10

M.V ELITE ...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 05:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    M.V ELITE DIVA SHIP's PARTICULARS.pdf.scr.exe

  • Size

    738KB

  • MD5

    6cca484df391ecb807f2059ae3faff4f

  • SHA1

    0a44afff854e0bf52383f57993fd4868b285547d

  • SHA256

    8e3db35284b6e1ea560c14a69ea4dfd6ef8e27fe9974a609116d00f2d764bfeb

  • SHA512

    7dd9ac73c7c663325124a7d7d4800efbd5f555df9f1d07a2c10a9aa9af6e8e740e5a9eb596e4b2259d5182d1634de01689f9c68c3e6906bf08427631dc152edf

  • SSDEEP

    12288:RYOFCwgqaVouO3u8/67RGXEUPr1wzGSrM40Wxt0TAK7LSCQNRXU2P4G4ij/rZ8JB:RNC/qaSuO3j/yMXEUT1or4WxtVKaxf/+

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    belogs@beirutrest.com
  • Password:
    9yXQ39wz(uL+

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\M.V ELITE DIVA SHIP's PARTICULARS.pdf.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\M.V ELITE DIVA SHIP's PARTICULARS.pdf.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\M.V ELITE DIVA SHIP's PARTICULARS.pdf.scr.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1404
    • C:\Users\Admin\AppData\Local\Temp\M.V ELITE DIVA SHIP's PARTICULARS.pdf.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\M.V ELITE DIVA SHIP's PARTICULARS.pdf.scr.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:536

Network

  • flag-us
    DNS
    api.ipify.org
    M.V ELITE DIVA SHIP's PARTICULARS.pdf.scr.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.12.205
    api.ipify.org
    IN A
    104.26.13.205
  • flag-us
    GET
    https://api.ipify.org/
    M.V ELITE DIVA SHIP's PARTICULARS.pdf.scr.exe
    Remote address:
    172.67.74.152:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 20 Aug 2024 05:27:25 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8b5ff9607ec0643d-LHR
  • 172.67.74.152:443
    https://api.ipify.org/
    tls, http
    M.V ELITE DIVA SHIP's PARTICULARS.pdf.scr.exe
    873 B
     3.8kB
     9
    10

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 8.8.8.8:53
    api.ipify.org
    dns
    M.V ELITE DIVA SHIP's PARTICULARS.pdf.scr.exe
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    172.67.74.152
    104.26.12.205
    104.26.13.205

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/536-9-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/536-8-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/536-23-0x00000000748D0000-0x0000000074FBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/536-13-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/536-20-0x00000000748D0000-0x0000000074FBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/536-19-0x00000000748D0000-0x0000000074FBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/536-7-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/536-17-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/536-15-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/536-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/536-10-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2540-3-0x00000000004A0000-0x00000000004B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2540-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-1-0x0000000000880000-0x000000000093E000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2540-6-0x00000000051C0000-0x0000000005242000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2540-5-0x00000000004C0000-0x00000000004D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2540-18-0x00000000748D0000-0x0000000074FBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2540-4-0x00000000748D0000-0x0000000074FBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2540-2-0x00000000748D0000-0x0000000074FBE000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.