Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
10/09/2024, 01:04
General
-
Target
1901fefcf83a2db8d2e4a717e382df0bdf8db7e7f48615bdc9a26b45f0b7c0ff.exe
-
Size
1019KB
-
MD5
e2c463c453c436adbf05e5f767e976b5
-
SHA1
27f01c17e41b49f3a77550a1a8e1c07a60b8bbfe
-
SHA256
1901fefcf83a2db8d2e4a717e382df0bdf8db7e7f48615bdc9a26b45f0b7c0ff
-
SHA512
32cb8b333ab384e113ad6ca3aa6e4c4bb2389834fe4790c5a2aea2bebf295c8716c8660497c808a8b4d4b586ed5db972948693a5d28865275d87a27c022efcc6
-
SSDEEP
24576:UAHnh+eWsN3skA4RV1Hom2KXMmHahCrTAUJjY5:jh+ZkldoPK8Yahc0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.eatrepeatindia.com - Port:
587 - Username:
[email protected] - Password:
QQYIO12fxBmdO - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1901fefcf83a2db8d2e4a717e382df0bdf8db7e7f48615bdc9a26b45f0b7c0ff.exe"C:\Users\Admin\AppData\Local\Temp\1901fefcf83a2db8d2e4a717e382df0bdf8db7e7f48615bdc9a26b45f0b7c0ff.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\1901fefcf83a2db8d2e4a717e382df0bdf8db7e7f48615bdc9a26b45f0b7c0ff.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
16KB