Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 01:58 UTC

General

  • Target

    db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe

  • Size

    619KB

  • MD5

    c7ccd6f20a8823292de551558f4c800d

  • SHA1

    21fdbfc05880349c3142cbd81b7e730dbd3b6519

  • SHA256

    db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6

  • SHA512

    d99203b937997242466ee5d9f940455b88c137528996ac24a28c6832b22f9ae2b03ccd12ac3df838243a37e75ecfa8563dddead74af1fbbfed567c982f7ad0dd

  • SSDEEP

    12288:m07kvZsu2BNGp1e5tDbXZz73ftkdjQwIbhlEqbffAxrtOhE4Z:m0oZwCe51XZ/tkdRqbff25

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://cash4cars.nz
  • Port:
    21
  • Username:
    logbox@cash4cars.nz
  • Password:
    -[([pqM~nGA4

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe
    "C:\Users\Admin\AppData\Local\Temp\db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KNKQeCkus.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KNKQeCkus" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD901.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2712
    • C:\Users\Admin\AppData\Local\Temp\db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe
      "C:\Users\Admin\AppData\Local\Temp\db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe"
      2⤵
        PID:2900
      • C:\Users\Admin\AppData\Local\Temp\db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe
        "C:\Users\Admin\AppData\Local\Temp\db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2848

    Network

    • flag-us
      DNS
      api.ipify.org
      db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
    • flag-us
      DNS
      api.ipify.org
      db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
    • flag-us
      DNS
      api.ipify.org
      db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
    • flag-us
      DNS
      api.ipify.org
      db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
    • flag-us
      DNS
      api.ipify.org
      db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
    No results found
    • 8.8.8.8:53
      api.ipify.org
      dns
      db7308540dbe1895e72ec124ae574fca2b219afbf13924d1e52b06c1b535b9d6.exe
      295 B
      5

      DNS Request

      api.ipify.org

      DNS Request

      api.ipify.org

      DNS Request

      api.ipify.org

      DNS Request

      api.ipify.org

      DNS Request

      api.ipify.org

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpD901.tmp

      Filesize

      1KB

      MD5

      701a1dcac37ff96dc81b2ae73a881bc4

      SHA1

      44bee4b32cef7b3eda051c517b28a180455ab6c3

      SHA256

      fb71b32b69e48856d31ada21e8ab4657a4ac631b584ae3378f761802f9c1ca18

      SHA512

      ebce8526a179565d6ffc1b4f819ddb9f9b978820d40bd59b2642ae833f096972ad777d618f0c83c77cf3c54dd80282dac73fee16a0f3e2a9e31a84f305390611

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      5bb744d7e5f784e6f33a3922d90228f6

      SHA1

      65e4722935e12143a951136ec03c86e57fab0faf

      SHA256

      e890f3dae8310dd4e9337806afcad4f400fa85b36aa75a3b5d394d81a68186c7

      SHA512

      ef3c89a9550d2a4035c58a87b78731501657db41ee6a39a87bf8eb49f378953e6c622c9f1271d50691b9e00c3d9dd02cea662be926e079ba2ddf4c2248b5641a

    • memory/2524-4-0x000000007411E000-0x000000007411F000-memory.dmp

      Filesize

      4KB

    • memory/2524-32-0x0000000074110000-0x00000000747FE000-memory.dmp

      Filesize

      6.9MB

    • memory/2524-3-0x0000000000380000-0x0000000000390000-memory.dmp

      Filesize

      64KB

    • memory/2524-5-0x0000000074110000-0x00000000747FE000-memory.dmp

      Filesize

      6.9MB

    • memory/2524-6-0x0000000005340000-0x00000000053C2000-memory.dmp

      Filesize

      520KB

    • memory/2524-1-0x00000000001C0000-0x0000000000262000-memory.dmp

      Filesize

      648KB

    • memory/2524-2-0x0000000074110000-0x00000000747FE000-memory.dmp

      Filesize

      6.9MB

    • memory/2524-0-0x000000007411E000-0x000000007411F000-memory.dmp

      Filesize

      4KB

    • memory/2848-19-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2848-28-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2848-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2848-25-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2848-23-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2848-21-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2848-31-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2848-29-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.