Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Balance payment.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Balance payment.exe
Resource
win10v2004-20240802-en
General
-
Target
Balance payment.exe
-
Size
1.3MB
-
MD5
deb3b7e5c7d073079936294b9c2d58ca
-
SHA1
53654c644deb674d7e67abd5537eabe2889df4da
-
SHA256
b19f2dd9632dae7234700971da09d82204d078a1f6c5d6e5beabae30513e07be
-
SHA512
454b786d2371c126bf16519f626f52294879cf880900029bf34dc73025f095d030536d32fc48c5fb9dbfa824aa07f1403404b9dd61d84747a31be15a6e657a89
-
SSDEEP
24576:q84aWZczwnZlZAyLX4wFX3Ub0mgXh/x9YlYSz/4H4444C:q84aK6eZlZVkb84lYSz/4H4444C
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2160 files.exe -
Loads dropped DLL 2 IoCs
pid Process 3028 cmd.exe 3028 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\files = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\files.exe" reg.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language files.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balance payment.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2536 PING.EXE 3028 cmd.exe 2896 PING.EXE 688 PING.EXE 2224 cmd.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2536 PING.EXE 2896 PING.EXE 688 PING.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2000 Balance payment.exe 2000 Balance payment.exe 2000 Balance payment.exe 2000 Balance payment.exe 2000 Balance payment.exe 2000 Balance payment.exe 2160 files.exe 2160 files.exe 2160 files.exe 2160 files.exe 2160 files.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2000 Balance payment.exe Token: SeDebugPrivilege 2160 files.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2224 2000 Balance payment.exe 30 PID 2000 wrote to memory of 2224 2000 Balance payment.exe 30 PID 2000 wrote to memory of 2224 2000 Balance payment.exe 30 PID 2000 wrote to memory of 2224 2000 Balance payment.exe 30 PID 2224 wrote to memory of 2536 2224 cmd.exe 32 PID 2224 wrote to memory of 2536 2224 cmd.exe 32 PID 2224 wrote to memory of 2536 2224 cmd.exe 32 PID 2224 wrote to memory of 2536 2224 cmd.exe 32 PID 2000 wrote to memory of 3028 2000 Balance payment.exe 34 PID 2000 wrote to memory of 3028 2000 Balance payment.exe 34 PID 2000 wrote to memory of 3028 2000 Balance payment.exe 34 PID 2000 wrote to memory of 3028 2000 Balance payment.exe 34 PID 3028 wrote to memory of 2896 3028 cmd.exe 36 PID 3028 wrote to memory of 2896 3028 cmd.exe 36 PID 3028 wrote to memory of 2896 3028 cmd.exe 36 PID 3028 wrote to memory of 2896 3028 cmd.exe 36 PID 2224 wrote to memory of 2768 2224 cmd.exe 37 PID 2224 wrote to memory of 2768 2224 cmd.exe 37 PID 2224 wrote to memory of 2768 2224 cmd.exe 37 PID 2224 wrote to memory of 2768 2224 cmd.exe 37 PID 3028 wrote to memory of 688 3028 cmd.exe 38 PID 3028 wrote to memory of 688 3028 cmd.exe 38 PID 3028 wrote to memory of 688 3028 cmd.exe 38 PID 3028 wrote to memory of 688 3028 cmd.exe 38 PID 3028 wrote to memory of 2160 3028 cmd.exe 39 PID 3028 wrote to memory of 2160 3028 cmd.exe 39 PID 3028 wrote to memory of 2160 3028 cmd.exe 39 PID 3028 wrote to memory of 2160 3028 cmd.exe 39 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2148 2160 files.exe 40 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41 PID 2160 wrote to memory of 2364 2160 files.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "files" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 383⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2536
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "files" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"2⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 393⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2896
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 393⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:688
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:2148
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:2364
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5deb3b7e5c7d073079936294b9c2d58ca
SHA153654c644deb674d7e67abd5537eabe2889df4da
SHA256b19f2dd9632dae7234700971da09d82204d078a1f6c5d6e5beabae30513e07be
SHA512454b786d2371c126bf16519f626f52294879cf880900029bf34dc73025f095d030536d32fc48c5fb9dbfa824aa07f1403404b9dd61d84747a31be15a6e657a89