Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4c06d00bd2...86.exe

windows7-x64

10

4c06d00bd2...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 01:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c06d00bd2ccb64a93bb8019bbea91c83e4f6931d7c7fdc2469545a0a93a9c86.exe

  • Size

    689KB

  • MD5

    4204cc89996eedd07e48b855fdfdc773

  • SHA1

    30780fa47a2f022102755d4b33cf429d25a893bb

  • SHA256

    4c06d00bd2ccb64a93bb8019bbea91c83e4f6931d7c7fdc2469545a0a93a9c86

  • SHA512

    74eb0c8298d4c03a7958b00335ea9ec597499fa7682f61f659f0c5a0f68f1eb0270a4aa2133ecdcf431be28e42a02e6660053153141c798c942b1751209b9be3

  • SSDEEP

    12288:tRo1nSVygJA6psrecYWyiKRPTCHDP/8dlgTsL0czZgFwQLr0hKH:tRo1SVVAWs4riAPTCHTYggZgCq+K

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    cp8nl.hyperhost.ua
  • Port:
    587
  • Username:
    aaronlog@tycoelectronics.top
  • Password:
    7213575aceACE@#$

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    cp8nl.hyperhost.ua
  • Port:
    587
  • Username:
    aaronlog@tycoelectronics.top
  • Password:
    7213575aceACE@#$
  • Email To:
    aaron@tycoelectronics.top

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c06d00bd2ccb64a93bb8019bbea91c83e4f6931d7c7fdc2469545a0a93a9c86.exe
    "C:\Users\Admin\AppData\Local\Temp\4c06d00bd2ccb64a93bb8019bbea91c83e4f6931d7c7fdc2469545a0a93a9c86.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4c06d00bd2ccb64a93bb8019bbea91c83e4f6931d7c7fdc2469545a0a93a9c86.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1492
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VzxWktexVIFRzv.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1560
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VzxWktexVIFRzv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5B3.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:5008
    • C:\Users\Admin\AppData\Local\Temp\4c06d00bd2ccb64a93bb8019bbea91c83e4f6931d7c7fdc2469545a0a93a9c86.exe
      "C:\Users\Admin\AppData\Local\Temp\4c06d00bd2ccb64a93bb8019bbea91c83e4f6931d7c7fdc2469545a0a93a9c86.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    cp8nl.hyperhost.ua
    4c06d00bd2ccb64a93bb8019bbea91c83e4f6931d7c7fdc2469545a0a93a9c86.exe
    Remote address:
    8.8.8.8:53
    Request
    cp8nl.hyperhost.ua
    IN A
    Response
    cp8nl.hyperhost.ua
    IN A
    185.174.175.187
  • flag-us
    DNS
    187.175.174.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    187.175.174.185.in-addr.arpa
    IN PTR
    Response
    187.175.174.185.in-addr.arpa
    IN PTR
    cp8nl hyperhostua
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.140.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.140.123.92.in-addr.arpa
    IN PTR
    Response
    25.140.123.92.in-addr.arpa
    IN PTR
    a92-123-140-25deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 185.174.175.187:587
    cp8nl.hyperhost.ua
    smtp-submission
    4c06d00bd2ccb64a93bb8019bbea91c83e4f6931d7c7fdc2469545a0a93a9c86.exe
    2.8kB
     6.9kB
     23
    22
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    cp8nl.hyperhost.ua
    dns
    4c06d00bd2ccb64a93bb8019bbea91c83e4f6931d7c7fdc2469545a0a93a9c86.exe
    64 B
     80 B
     1
    1

    DNS Request

    cp8nl.hyperhost.ua

    DNS Response

    185.174.175.187

  • 8.8.8.8:53
    187.175.174.185.in-addr.arpa
    dns
    74 B
     106 B
     1
    1

    DNS Request

    187.175.174.185.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    25.140.123.92.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    25.140.123.92.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ott2xajo.xla.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB5B3.tmp
    Filesize

    1KB

    MD5

    86e3eda36186911674c732bfae55a7be

    SHA1

    af10a4fab51c68671541b959651f1bc1020f00b4

    SHA256

    50daffda5b639011982fc941a4ae721f00b348b7fb0b69801f4443cb8eef202e

    SHA512

    2e155d1ebd96421931da9a02d2cb14c32325e5c0faa8cfd124877a0b5f950350d56e3f96a862f8986fa8e1edbe57b23190dd1227fe44b0c38db99ab541b770ea

    Download Submit

  • memory/1436-6-0x00000000057C0000-0x00000000057D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1436-3-0x00000000055D0000-0x0000000005662000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1436-4-0x0000000005680000-0x000000000568A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1436-5-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1436-2-0x0000000005B80000-0x0000000006124000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1436-7-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-8-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1436-9-0x0000000005AF0000-0x0000000005B72000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1436-10-0x00000000086A0000-0x000000000873C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1436-48-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1436-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-1-0x0000000000B20000-0x0000000000BD2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1492-36-0x0000000005B50000-0x0000000005EA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1492-51-0x0000000006730000-0x0000000006762000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1492-18-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1492-21-0x0000000005190000-0x00000000051B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1492-22-0x00000000059A0000-0x0000000005A06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1492-16-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1492-87-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1492-83-0x00000000077A0000-0x00000000077A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1492-17-0x0000000005270000-0x0000000005898000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1492-82-0x00000000077C0000-0x00000000077DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1492-80-0x00000000076C0000-0x00000000076D4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1492-23-0x0000000005A10000-0x0000000005A76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1492-15-0x0000000004BB0000-0x0000000004BE6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1492-79-0x00000000076B0000-0x00000000076BE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1492-50-0x00000000061A0000-0x00000000061EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1492-19-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1492-52-0x0000000075730000-0x000000007577C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1492-62-0x0000000007120000-0x000000000713E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1492-63-0x0000000007150000-0x00000000071F3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1492-65-0x0000000007480000-0x000000000749A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1492-64-0x0000000007AD0000-0x000000000814A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1492-66-0x00000000074F0000-0x00000000074FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1492-77-0x0000000007700000-0x0000000007796000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1492-78-0x0000000007680000-0x0000000007691000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1560-67-0x0000000075730000-0x000000007577C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1560-49-0x0000000005790000-0x00000000057AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1560-46-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1560-26-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1560-34-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1560-86-0x0000000074E80000-0x0000000075630000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2092-35-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2092-81-0x00000000067B0000-0x0000000006800000-memory.dmp

    Filesize

    320KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.