Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 01:41

General

  • Target

    CG230511007 double ring.pdf.exe

  • Size

    698KB

  • MD5

    4a2d8f6fac5f95fc384c689d9a5927a2

  • SHA1

    97ad59b9532706d2457eb10f6902b5e2f9442566

  • SHA256

    44c35217277fbfdde4251ac9c9bad106247b6f5ca5ca0f1dbaf8f3343b364af0

  • SHA512

    43d2340d3f49c138b9c0f880617f4f730837c8983fa4a254b16ecbaa5dfef38c1643a657cf04962e9897c56fa561ede9181e3be23d24510e8cf9e186bf77cdd2

  • SSDEEP

    12288:FzjLf30WH0IieBhVpz60zapdl4VOqXEkOdu+VGBecnFj8AzPmZ:djj0yyeb/5+lfk8iFFj8MPm

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CG230511007 double ring.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\CG230511007 double ring.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CG230511007 double ring.pdf.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tjrOWyCGkiBRP.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjrOWyCGkiBRP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE30F.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2744
    • C:\Users\Admin\AppData\Local\Temp\CG230511007 double ring.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\CG230511007 double ring.pdf.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE30F.tmp

    Filesize

    1KB

    MD5

    f2df79d71213a3d71ac834c59bacb1fc

    SHA1

    40c6a1484551002c2a3473a91c1eaae8c6a0996b

    SHA256

    c6a4327b3aa8ded282aab62857f6539bc8793f685022d6a3983b65016d4a82c3

    SHA512

    738a27f3d13230086b494e4f4999c62324164724daf88a5700c241768e72904bdfb43b2feb3705c14c9ddfa9c7b1cc41f982e500045f365c931c6166dd7cba45

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RUDKJ6YFZGN7YOU95H99.temp

    Filesize

    7KB

    MD5

    5cb0bdecac75dcdb6a8139517fe0ccfe

    SHA1

    2db61a5eeef28d217516b171cabe8d76a0035973

    SHA256

    60ebd091f34fe63bfb409ef36bb8ebcc7395773942c0ef8394e96387b677639d

    SHA512

    c630964c961a21b81758e13c9078df374e7f358431f00f04a0f3df020964608119abfb99fcef9ff5cbd47d34a517cbef7d90b060651e4459afd525c9353b63a5

  • memory/2328-4-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

    Filesize

    4KB

  • memory/2328-32-0x0000000074A80000-0x000000007516E000-memory.dmp

    Filesize

    6.9MB

  • memory/2328-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

    Filesize

    4KB

  • memory/2328-5-0x0000000074A80000-0x000000007516E000-memory.dmp

    Filesize

    6.9MB

  • memory/2328-6-0x0000000005CD0000-0x0000000005D52000-memory.dmp

    Filesize

    520KB

  • memory/2328-2-0x0000000074A80000-0x000000007516E000-memory.dmp

    Filesize

    6.9MB

  • memory/2328-1-0x00000000010B0000-0x0000000001162000-memory.dmp

    Filesize

    712KB

  • memory/2328-3-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2568-20-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2568-21-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2568-25-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2568-28-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2568-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2568-29-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2568-23-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2568-31-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB