Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Balance payment.exe

windows7-x64

10

Balance payment.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 10:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Balance payment.exe

  • Size

    1.3MB

  • MD5

    deb3b7e5c7d073079936294b9c2d58ca

  • SHA1

    53654c644deb674d7e67abd5537eabe2889df4da

  • SHA256

    b19f2dd9632dae7234700971da09d82204d078a1f6c5d6e5beabae30513e07be

  • SHA512

    454b786d2371c126bf16519f626f52294879cf880900029bf34dc73025f095d030536d32fc48c5fb9dbfa824aa07f1403404b9dd61d84747a31be15a6e657a89

  • SSDEEP

    24576:q84aWZczwnZlZAyLX4wFX3Ub0mgXh/x9YlYSz/4H4444C:q84aK6eZlZVkb84lYSz/4H4444C

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.iaa-airferight.com
  • Port:
    587
  • Username:
    web@iaa-airferight.com
  • Password:
    webmaster
  • Email To:
    mail@iaa-airferight.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "files" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 38
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2536
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "files" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 39
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2896
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 39
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:688
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2160
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          4⤵
            PID:2148
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            4⤵
              PID:2364

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe
        Filesize

        1.3MB

        MD5

        deb3b7e5c7d073079936294b9c2d58ca

        SHA1

        53654c644deb674d7e67abd5537eabe2889df4da

        SHA256

        b19f2dd9632dae7234700971da09d82204d078a1f6c5d6e5beabae30513e07be

        SHA512

        454b786d2371c126bf16519f626f52294879cf880900029bf34dc73025f095d030536d32fc48c5fb9dbfa824aa07f1403404b9dd61d84747a31be15a6e657a89

        Download Submit

      • memory/2000-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2000-1-0x0000000001020000-0x000000000116C000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2000-2-0x0000000000C20000-0x0000000000CBE000-memory.dmp

        Filesize

        632KB

        Download

      • memory/2000-3-0x0000000074A30000-0x000000007511E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2000-4-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2000-5-0x0000000074A30000-0x000000007511E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2000-6-0x0000000074A30000-0x000000007511E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2148-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2148-20-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2148-27-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2148-24-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2148-22-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2160-18-0x00000000007D0000-0x00000000007EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2160-19-0x00000000007F0000-0x00000000007F6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2160-17-0x0000000000290000-0x00000000003DC000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2364-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.