Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 10:36 UTC

General

  • Target

    Balance payment.exe

  • Size

    1.3MB

  • MD5

    deb3b7e5c7d073079936294b9c2d58ca

  • SHA1

    53654c644deb674d7e67abd5537eabe2889df4da

  • SHA256

    b19f2dd9632dae7234700971da09d82204d078a1f6c5d6e5beabae30513e07be

  • SHA512

    454b786d2371c126bf16519f626f52294879cf880900029bf34dc73025f095d030536d32fc48c5fb9dbfa824aa07f1403404b9dd61d84747a31be15a6e657a89

  • SSDEEP

    24576:q84aWZczwnZlZAyLX4wFX3Ub0mgXh/x9YlYSz/4H4444C:q84aK6eZlZVkb84lYSz/4H4444C

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.iaa-airferight.com
  • Port:
    587
  • Username:
    web@iaa-airferight.com
  • Password:
    webmaster
  • Email To:
    mail@iaa-airferight.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "files" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 38
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2536
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "files" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 39
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2896
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 39
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:688
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2160
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          4⤵
            PID:2148
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            4⤵
              PID:2364

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.exe

        Filesize

        1.3MB

        MD5

        deb3b7e5c7d073079936294b9c2d58ca

        SHA1

        53654c644deb674d7e67abd5537eabe2889df4da

        SHA256

        b19f2dd9632dae7234700971da09d82204d078a1f6c5d6e5beabae30513e07be

        SHA512

        454b786d2371c126bf16519f626f52294879cf880900029bf34dc73025f095d030536d32fc48c5fb9dbfa824aa07f1403404b9dd61d84747a31be15a6e657a89

      • memory/2000-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

        Filesize

        4KB

      • memory/2000-1-0x0000000001020000-0x000000000116C000-memory.dmp

        Filesize

        1.3MB

      • memory/2000-2-0x0000000000C20000-0x0000000000CBE000-memory.dmp

        Filesize

        632KB

      • memory/2000-3-0x0000000074A30000-0x000000007511E000-memory.dmp

        Filesize

        6.9MB

      • memory/2000-4-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

        Filesize

        4KB

      • memory/2000-5-0x0000000074A30000-0x000000007511E000-memory.dmp

        Filesize

        6.9MB

      • memory/2000-6-0x0000000074A30000-0x000000007511E000-memory.dmp

        Filesize

        6.9MB

      • memory/2148-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2148-20-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

      • memory/2148-27-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

      • memory/2148-24-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

      • memory/2148-22-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

      • memory/2160-18-0x00000000007D0000-0x00000000007EA000-memory.dmp

        Filesize

        104KB

      • memory/2160-19-0x00000000007F0000-0x00000000007F6000-memory.dmp

        Filesize

        24KB

      • memory/2160-17-0x0000000000290000-0x00000000003DC000-memory.dmp

        Filesize

        1.3MB

      • memory/2364-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.