Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

9bcc559101...1e.exe

windows7-x64

10

9bcc559101...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 01:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e.exe

  • Size

    723KB

  • MD5

    df30947662e982996810396f8998687c

  • SHA1

    ab1cca67c1d71f95e516a21995d2965761bc6829

  • SHA256

    9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e

  • SHA512

    41e148f5bd8fe19754f6c676323a1b022c0e79d3be5c5de8b3fc030e2dedb46877e5ff792da2965fc8cfc701724ea914a61a80d43590e77421820d22bb484b9a

  • SSDEEP

    12288:ZFw5wFD3n6UwXUTCBvvFfg6DUT0/PSnyUt9H+nruF39h9sAFJEyvQXDkR:ZF4K9wXKIvFfZRGyI9enr6H93bnQXW

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    sarthiever@fosna.net
  • Password:
    (=8fPSH$KO_!

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Uses the VBS compiler for execution 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e.exe
    "C:\Users\Admin\AppData\Local\Temp\9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OsYPcQX.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OsYPcQX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB319.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2968
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:1292
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1936

    Network

    • flag-us
      DNS
      ip-api.com
      vbc.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/line/?fields=hosting
      vbc.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /line/?fields=hosting HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 02 Oct 2024 01:29:03 GMT
      Content-Type: text/plain; charset=utf-8
      Content-Length: 5
      Access-Control-Allow-Origin: *
      X-Ttl: 37
      X-Rl: 42
    • 208.95.112.1:80
      http://ip-api.com/line/?fields=hosting
      http
      vbc.exe
      310 B
       346 B
       5
      4

      HTTP Request

      GET http://ip-api.com/line/?fields=hosting

      HTTP Response

      200
    • 8.8.8.8:53
      ip-api.com
      dns
      vbc.exe
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB319.tmp
      Filesize

      1KB

      MD5

      ba7f867dca704f8d22e8c05563facade

      SHA1

      2ff73738ecdcf5320868607938ed83c904a43a03

      SHA256

      889a19ad89cf446d334a0d27e0210864be408df71e5c718110830ca17059e4fe

      SHA512

      06eb49bbe010330ac94e4162d6edb3ca6ad0ea82760b8b9afa70ae842cace86a5c467f96d96544b38cb07c9b67d2904d8f7354549743332627b11a278f155d42

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S32CYIZDZW5R2J6NSFSN.temp
      Filesize

      7KB

      MD5

      f1d6f9d1ebeadc393d5fac57d0875d71

      SHA1

      de1eeb0a93525c30c5152f3179bdb05ce676026a

      SHA256

      5a24ee5b547a386b797a8835421ce6809244fea30a26f27dea9241a2024e1028

      SHA512

      9ca0c6afb944b35aa1682562ae55b2524c5e7e81425e672f844968351a50d1f3ffe1467d6dbe61314d0eb6812a106743aa61fbc78ddc0b2bf9751378b840c104

      Download Submit

    • memory/1936-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1936-29-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1936-19-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1936-21-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1936-23-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1936-25-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1936-28-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1936-30-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3068-6-0x0000000000AB0000-0x0000000000B34000-memory.dmp

      Filesize

      528KB

      Download

    • memory/3068-1-0x0000000000ED0000-0x0000000000F88000-memory.dmp

      Filesize

      736KB

      Download

    • memory/3068-0-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3068-2-0x0000000073D10000-0x00000000743FE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3068-3-0x00000000009D0000-0x00000000009EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3068-5-0x0000000073D10000-0x00000000743FE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3068-4-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3068-31-0x0000000073D10000-0x00000000743FE000-memory.dmp

      Filesize

      6.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.