Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 01:41
Static task
static1
Behavioral task
behavioral1
Sample
CG230511007 double ring.pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CG230511007 double ring.pdf.exe
Resource
win10v2004-20240802-en
General
-
Target
CG230511007 double ring.pdf.exe
-
Size
698KB
-
MD5
4a2d8f6fac5f95fc384c689d9a5927a2
-
SHA1
97ad59b9532706d2457eb10f6902b5e2f9442566
-
SHA256
44c35217277fbfdde4251ac9c9bad106247b6f5ca5ca0f1dbaf8f3343b364af0
-
SHA512
43d2340d3f49c138b9c0f880617f4f730837c8983fa4a254b16ecbaa5dfef38c1643a657cf04962e9897c56fa561ede9181e3be23d24510e8cf9e186bf77cdd2
-
SSDEEP
12288:FzjLf30WH0IieBhVpz60zapdl4VOqXEkOdu+VGBecnFj8AzPmZ:djj0yyeb/5+lfk8iFFj8MPm
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
manlikeyou88 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2672 powershell.exe 2976 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2328 set thread context of 2568 2328 CG230511007 double ring.pdf.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CG230511007 double ring.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CG230511007 double ring.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2328 CG230511007 double ring.pdf.exe 2328 CG230511007 double ring.pdf.exe 2568 CG230511007 double ring.pdf.exe 2568 CG230511007 double ring.pdf.exe 2976 powershell.exe 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2328 CG230511007 double ring.pdf.exe Token: SeDebugPrivilege 2568 CG230511007 double ring.pdf.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2976 2328 CG230511007 double ring.pdf.exe 31 PID 2328 wrote to memory of 2976 2328 CG230511007 double ring.pdf.exe 31 PID 2328 wrote to memory of 2976 2328 CG230511007 double ring.pdf.exe 31 PID 2328 wrote to memory of 2976 2328 CG230511007 double ring.pdf.exe 31 PID 2328 wrote to memory of 2672 2328 CG230511007 double ring.pdf.exe 33 PID 2328 wrote to memory of 2672 2328 CG230511007 double ring.pdf.exe 33 PID 2328 wrote to memory of 2672 2328 CG230511007 double ring.pdf.exe 33 PID 2328 wrote to memory of 2672 2328 CG230511007 double ring.pdf.exe 33 PID 2328 wrote to memory of 2744 2328 CG230511007 double ring.pdf.exe 35 PID 2328 wrote to memory of 2744 2328 CG230511007 double ring.pdf.exe 35 PID 2328 wrote to memory of 2744 2328 CG230511007 double ring.pdf.exe 35 PID 2328 wrote to memory of 2744 2328 CG230511007 double ring.pdf.exe 35 PID 2328 wrote to memory of 2568 2328 CG230511007 double ring.pdf.exe 37 PID 2328 wrote to memory of 2568 2328 CG230511007 double ring.pdf.exe 37 PID 2328 wrote to memory of 2568 2328 CG230511007 double ring.pdf.exe 37 PID 2328 wrote to memory of 2568 2328 CG230511007 double ring.pdf.exe 37 PID 2328 wrote to memory of 2568 2328 CG230511007 double ring.pdf.exe 37 PID 2328 wrote to memory of 2568 2328 CG230511007 double ring.pdf.exe 37 PID 2328 wrote to memory of 2568 2328 CG230511007 double ring.pdf.exe 37 PID 2328 wrote to memory of 2568 2328 CG230511007 double ring.pdf.exe 37 PID 2328 wrote to memory of 2568 2328 CG230511007 double ring.pdf.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\CG230511007 double ring.pdf.exe"C:\Users\Admin\AppData\Local\Temp\CG230511007 double ring.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CG230511007 double ring.pdf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tjrOWyCGkiBRP.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjrOWyCGkiBRP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE30F.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2744
-
-
C:\Users\Admin\AppData\Local\Temp\CG230511007 double ring.pdf.exe"C:\Users\Admin\AppData\Local\Temp\CG230511007 double ring.pdf.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f2df79d71213a3d71ac834c59bacb1fc
SHA140c6a1484551002c2a3473a91c1eaae8c6a0996b
SHA256c6a4327b3aa8ded282aab62857f6539bc8793f685022d6a3983b65016d4a82c3
SHA512738a27f3d13230086b494e4f4999c62324164724daf88a5700c241768e72904bdfb43b2feb3705c14c9ddfa9c7b1cc41f982e500045f365c931c6166dd7cba45
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RUDKJ6YFZGN7YOU95H99.temp
Filesize7KB
MD55cb0bdecac75dcdb6a8139517fe0ccfe
SHA12db61a5eeef28d217516b171cabe8d76a0035973
SHA25660ebd091f34fe63bfb409ef36bb8ebcc7395773942c0ef8394e96387b677639d
SHA512c630964c961a21b81758e13c9078df374e7f358431f00f04a0f3df020964608119abfb99fcef9ff5cbd47d34a517cbef7d90b060651e4459afd525c9353b63a5