Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

PO23100070.exe

windows10-1703-x64

10

PO23100070.exe

windows7-x64

10

PO23100070.exe

windows10-2004-x64

10

PO23100070.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    316s
  • max time network
    1598s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/10/2024, 12:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO23100070.exe

  • Size

    657KB

  • MD5

    885f5a1ad4e095da19fe160b8901cb45

  • SHA1

    5cc5a214ea49654280f3b1b842c1b8a3e772ebcb

  • SHA256

    03d70e61c415e7a0e2ec76c31cdaa056d05ba4a0c5424611df5b5b69c1415ff9

  • SHA512

    88cb9242d726db4e73194716090b17ef76c79f422d8931a960a4d9066b5415c447c32614df5a613c28712e4231ef64cf00d58d7cfff0db9e75adf72d610e806b

  • SSDEEP

    12288:WLKWTG4mCQGO93AI+6Z3i+wjYFTcqODJDKQhYLQ:0xTPeStjYFYqqDKQH

Score
10/10
agentteslacollectiondiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.mbarieservicesltd.com
  • Port:
    587
  • Username:
    saless@mbarieservicesltd.com
  • Password:
    *o9H+18Q4%;M
  • Email To:
    iinfo@mbarieservicesltd.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO23100070.exe
    "C:\Users\Admin\AppData\Local\Temp\PO23100070.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO23100070.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4608
    • C:\Users\Admin\AppData\Local\Temp\PO23100070.exe
      "C:\Users\Admin\AppData\Local\Temp\PO23100070.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4472

Network

  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    40.173.79.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.173.79.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • 52.111.236.23:443
    322 B
     7
  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    40.173.79.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    40.173.79.40.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO23100070.exe.log
    Filesize

    1KB

    MD5

    0c2899d7c6746f42d5bbe088c777f94c

    SHA1

    622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

    SHA256

    5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

    SHA512

    ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhpnx25c.3gs.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/1640-9-0x0000000073A80000-0x000000007416E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1640-1-0x00000000009D0000-0x0000000000A7A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/1640-4-0x00000000052C0000-0x00000000052CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1640-5-0x0000000073A80000-0x000000007416E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1640-6-0x0000000005610000-0x00000000056AC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1640-7-0x00000000055F0000-0x000000000560A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1640-8-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1640-0-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1640-10-0x0000000007C40000-0x0000000007CB0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1640-3-0x0000000005330000-0x00000000053C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1640-2-0x0000000005790000-0x0000000005C8E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/1640-15-0x0000000073A80000-0x000000007416E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4472-11-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4472-124-0x0000000006300000-0x00000000064C2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4472-123-0x00000000060E0000-0x0000000006130000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4472-20-0x0000000004DE0000-0x0000000004E46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4472-14-0x0000000073A80000-0x000000007416E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4472-271-0x0000000073A80000-0x000000007416E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4608-24-0x0000000007240000-0x00000000072A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4608-47-0x00000000704C0000-0x000000007050B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4608-19-0x0000000006B30000-0x0000000007158000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4608-26-0x0000000007430000-0x0000000007780000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4608-27-0x0000000007920000-0x000000000793C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4608-28-0x0000000007940000-0x000000000798B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4608-29-0x0000000007BC0000-0x0000000007C36000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4608-22-0x0000000073A80000-0x000000007416E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4608-46-0x0000000008AE0000-0x0000000008B13000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4608-23-0x00000000071A0000-0x00000000071C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4608-48-0x0000000008AC0000-0x0000000008ADE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4608-53-0x0000000008C20000-0x0000000008CC5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/4608-54-0x0000000009050000-0x00000000090E4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/4608-21-0x0000000073A80000-0x000000007416E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4608-18-0x0000000004140000-0x0000000004176000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4608-249-0x0000000008FB0000-0x0000000008FCA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4608-254-0x0000000008F90000-0x0000000008F98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4608-270-0x0000000073A80000-0x000000007416E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4608-25-0x0000000073A80000-0x000000007416E000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.