Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

PO_20248099-1.pdf.exe

windows7-x64

10

PO_20248099-1.pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 01:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_20248099-1.pdf.exe

  • Size

    669KB

  • MD5

    5d5b5ecc06b9058d0ec3199ed8617cfe

  • SHA1

    cbb1a95878e8a7a4ac09270a6dc7699c78996e28

  • SHA256

    0a58b574ccfb2898c4ee47a8dab29174c2193731573d4578b7b5ff83ad1196d6

  • SHA512

    9044d553f7ce2e00fb15bd718065c6ba1e94162b74dfde65a69ee472712866b287ccd26b52777d744edc34b2c2fa465645cb99f3b45da1e544f122acb372ca37

  • SSDEEP

    12288:3dPwqNxtOB37QmJauif0txmkuhIak+eBn7Hxz0Kt0rAt7HclhUhlru4TscPm:6OW37QVf0PRu9Qndz0hAtTclhUhldsc+

Score
10/10
agenttesladiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.haliza.com.my
  • Port:
    21
  • Username:
    origin@haliza.com.my
  • Password:
    JesusChrist007$

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.haliza.com.my
  • Port:
    21
  • Username:
    origin@haliza.com.my
  • Password:
    JesusChrist007$

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO_20248099-1.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\PO_20248099-1.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO_20248099-1.pdf.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FrFvspxoHsPs.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp20F8.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2776
    • C:\Users\Admin\AppData\Local\Temp\PO_20248099-1.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\PO_20248099-1.pdf.exe"
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2676

Network

  • flag-us
    DNS
    api.ipify.org
    PO_20248099-1.pdf.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    104.26.12.205
  • flag-us
    GET
    https://api.ipify.org/
    PO_20248099-1.pdf.exe
    Remote address:
    172.67.74.152:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 27 Sep 2024 01:16:41 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8c97a657eeadbee9-LHR
  • flag-us
    DNS
    ftp.haliza.com.my
    PO_20248099-1.pdf.exe
    Remote address:
    8.8.8.8:53
    Request
    ftp.haliza.com.my
    IN A
    Response
    ftp.haliza.com.my
    IN A
    110.4.45.197
  • 172.67.74.152:443
    https://api.ipify.org/
    tls, http
    PO_20248099-1.pdf.exe
    867 B
     3.5kB
     9
    9

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 110.4.45.197:21
    ftp.haliza.com.my
    ftp
    PO_20248099-1.pdf.exe
    791 B
     1.3kB
     13
    14
  • 110.4.45.197:64843
    ftp.haliza.com.my
    PO_20248099-1.pdf.exe
    190 B
     92 B
     4
    2
  • 110.4.45.197:63601
    ftp.haliza.com.my
    PO_20248099-1.pdf.exe
    190 B
     92 B
     4
    2
  • 8.8.8.8:53
    api.ipify.org
    dns
    PO_20248099-1.pdf.exe
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    172.67.74.152
    104.26.13.205
    104.26.12.205

  • 8.8.8.8:53
    ftp.haliza.com.my
    dns
    PO_20248099-1.pdf.exe
    63 B
     79 B
     1
    1

    DNS Request

    ftp.haliza.com.my

    DNS Response

    110.4.45.197

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp20F8.tmp
    Filesize

    1KB

    MD5

    de660666b4407ca702020077ea7a9491

    SHA1

    887a2858477e4106c2e136bc5d1de521486dc6e8

    SHA256

    7a92552bda403bb9ab1e84b4680fe4b914e9b956330deb693af9109cdb26e838

    SHA512

    9962ae16f9856558836ef50f7fe0fea6259060b8770aa2662f85f8f149bc1daf94da8c411eb98fb879d25531c6bbcc0c2da2f358e420dd51622467acd3ed4b1f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    5317cfeb7b58a99ae1ddb178d7b6b9a5

    SHA1

    4440c058ee3ed50adac10b01b4ea491da45f5e69

    SHA256

    352d477513ffd3b03de07ce9502a91989ddc6e5715279209ce7c96e7314c3d4c

    SHA512

    6fca6df7b28fffce21a7c7e6a4e8bc0073271a9e4d3a65840b7bae23d59e8674adee5b700d21488b490470c0084ba40e1545970f9f5499b3c09e4abe5aeea140

    Download Submit

  • memory/1812-4-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-32-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1812-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-5-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1812-6-0x0000000005160000-0x00000000051E4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1812-2-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1812-1-0x0000000001340000-0x00000000013EE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1812-3-0x0000000000470000-0x0000000000482000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2676-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2676-31-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2676-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2676-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2676-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2676-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2676-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.