Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7ef4c75ee4...7c.exe

windows7-x64

10

7ef4c75ee4...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 06:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c.exe

  • Size

    762KB

  • MD5

    ab81060e67501bc08bd8a3f9bac5367f

  • SHA1

    f877625633f98d1f42c50e37006f808aa61630ba

  • SHA256

    7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c

  • SHA512

    61782aa2dc9663cdeb016a0b0dac91cbb4eaee8f293a1f96486539dae32c144643b299c87745657ad0682208aa5586e1ad3340e62f99f371dbdc683eb3b2717a

  • SSDEEP

    12288:VUxAdWvsd2eUUHd8GX5b+EE203zQeDZDr0ZeVN1csr8qHv0U3TB39:VUxpa2ZUHd8GXhE20DnFf0MVNrnPx39

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    sarthiever@fosna.net
  • Password:
    (=8fPSH$KO_!

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Uses the VBS compiler for execution 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c.exe
    "C:\Users\Admin\AppData\Local\Temp\7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jUTthTUyPiZyGH.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2420
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jUTthTUyPiZyGH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C19.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2860
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3056

Network

  • flag-us
    DNS
    ip-api.com
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    vbc.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 01 Oct 2024 06:39:39 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 5
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    vbc.exe
    264 B
     306 B
     4
    3

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 8.8.8.8:53
    ip-api.com
    dns
    vbc.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8C19.tmp
    Filesize

    1KB

    MD5

    a9aeb4b3507e61c31038c1401a15eda8

    SHA1

    3a1b738d41fcb868bc6186ad5bd2db20c08f615a

    SHA256

    dfa2c272c9f67be90ddbd6c5e8e0ad56b908aec6370b18f77ac7a71acecd7acf

    SHA512

    0484f3b1c63a02569c888fe686981688224c4d883916dc5a2e1fbac5e6ad61b990f5d345a442f396ecb4ddf9c5f04ee0cb49574aee35dbd59484579eec08f9ef

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N05UWNRT9QFXQIM6G47W.temp
    Filesize

    7KB

    MD5

    dd92e86ee88e81f35f65216e8b28bebf

    SHA1

    500dc34b108ac004f244ac4d5f4a6a5eee753406

    SHA256

    5ad9e2adf1daeb3807658ca029c9b257354151914da7b01624ebcc82ab0ce5e0

    SHA512

    403a380429e5e7406e11b7d099d83f5e13d3415676568f7284e6f5923aba5ebc3a7a3e5144b1edf4b7cac7a4f746fc5acc4a55e50b68bc6bf65e426dc9e28f4d

    Download Submit

  • memory/2544-4-0x00000000740FE000-0x00000000740FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2544-32-0x00000000740F0000-0x00000000747DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2544-0-0x00000000740FE000-0x00000000740FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2544-5-0x00000000740F0000-0x00000000747DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2544-6-0x0000000000530000-0x00000000005B4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2544-2-0x00000000740F0000-0x00000000747DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2544-1-0x00000000002D0000-0x0000000000394000-memory.dmp

    Filesize

    784KB

    Download

  • memory/2544-3-0x00000000003B0000-0x00000000003CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3056-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3056-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3056-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3056-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3056-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3056-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3056-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3056-31-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.