Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

4122f1d85f...97.exe

windows7-x64

10

4122f1d85f...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 15:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4122f1d85ffb12401925c52470a6a3f4cc75e02546069894ed33ce7a6dd81897.exe

  • Size

    1.2MB

  • MD5

    ddbaaa52ea1192377573a76e4ac8fb7b

  • SHA1

    0c86f1126bde5a0ab4d5dc8eb2e7aeb8b824d474

  • SHA256

    4122f1d85ffb12401925c52470a6a3f4cc75e02546069894ed33ce7a6dd81897

  • SHA512

    9c01f8e5aed73ee59c710d19c711cc360eed010b3176973369c7f329ab6964946078df8c38159adef428680f42836edc773bfb8455cad25be404082ad51c4c0b

  • SSDEEP

    24576:6AHnh+eWsN3skA4RV1Hom2KXMmHa1LodOtZQo4CPAuK85:Nh+ZkldoPK8Ya1sdOtZzPL

Score
10/10
agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4122f1d85ffb12401925c52470a6a3f4cc75e02546069894ed33ce7a6dd81897.exe
    "C:\Users\Admin\AppData\Local\Temp\4122f1d85ffb12401925c52470a6a3f4cc75e02546069894ed33ce7a6dd81897.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3692
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\4122f1d85ffb12401925c52470a6a3f4cc75e02546069894ed33ce7a6dd81897.exe"
      2⤵
        PID:2932
      • C:\Users\Admin\AppData\Local\Temp\4122f1d85ffb12401925c52470a6a3f4cc75e02546069894ed33ce7a6dd81897.exe
        "C:\Users\Admin\AppData\Local\Temp\4122f1d85ffb12401925c52470a6a3f4cc75e02546069894ed33ce7a6dd81897.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\4122f1d85ffb12401925c52470a6a3f4cc75e02546069894ed33ce7a6dd81897.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2016

    Network

    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
      Response
      73.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.53.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.53.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      api.ipify.org
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN A
      104.26.13.205
      api.ipify.org
      IN A
      172.67.74.152
      api.ipify.org
      IN A
      104.26.12.205
    • flag-us
      GET
      https://api.ipify.org/
      RegSvcs.exe
      Remote address:
      104.26.13.205:443
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
      Host: api.ipify.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 11 Sep 2024 15:04:50 GMT
      Content-Type: text/plain
      Content-Length: 13
      Connection: keep-alive
      Vary: Origin
      CF-Cache-Status: DYNAMIC
      Server: cloudflare
      CF-RAY: 8c188d72eeff9407-LHR
    • flag-us
      DNS
      205.13.26.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.13.26.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 104.26.13.205:443
      https://api.ipify.org/
      tls, http
      RegSvcs.exe
      808 B
       3.6kB
       8
      8

      HTTP Request

      GET https://api.ipify.org/

      HTTP Response

      200
    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      73.144.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      73.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      21.53.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      21.53.126.40.in-addr.arpa

    • 8.8.8.8:53
      api.ipify.org
      dns
      RegSvcs.exe
      59 B
       107 B
       1
      1

      DNS Request

      api.ipify.org

      DNS Response

      104.26.13.205
      172.67.74.152
      104.26.12.205

    • 8.8.8.8:53
      205.13.26.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      205.13.26.104.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      140 B
       144 B
       2
      1

      DNS Request

      18.31.95.13.in-addr.arpa

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\aut8770.tmp
      Filesize

      262KB

      MD5

      39bfd01ef86bab66becbfbd05a892e07

      SHA1

      f90aa1a123767bdabab7e5a4a40fe39c1189043c

      SHA256

      6f5072e621095e8f3b731bb3af454ff9d7dd2117415d1fdd6a4916d7e377f388

      SHA512

      30ef46ac8b1ed2f7afd13131ba34a289101e1b7e7c751b1f50dc49f9ba93ccfddff6888bd692fe237f554dec089de0d6c4d3a25d99eadb3aeb7e07429c913c91

      Download Submit

    • memory/2016-64-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-25-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2016-17-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2016-19-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2016-18-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2016-20-0x00000000740CE000-0x00000000740CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2016-21-0x0000000003270000-0x00000000032C4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2016-23-0x0000000005E80000-0x0000000006424000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2016-22-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2016-62-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-1070-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2016-26-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2016-34-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-32-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-80-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-82-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-86-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-84-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-78-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-74-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-70-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-68-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-16-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2016-66-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-24-0x0000000005840000-0x0000000005894000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2016-58-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-56-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-54-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-52-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-48-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-46-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-44-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-76-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-72-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-60-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-50-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-42-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-40-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-38-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-36-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-30-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-28-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-27-0x0000000005840000-0x000000000588D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2016-1065-0x0000000005A40000-0x0000000005AA6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2016-1066-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2016-1067-0x0000000006E60000-0x0000000006EF2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2016-1069-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3692-7-0x0000000001610000-0x0000000001614000-memory.dmp

      Filesize

      16KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.