Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
316s -
max time network
1598s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
02/10/2024, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
PO23100070.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
PO23100070.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
PO23100070.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
PO23100070.exe
Resource
win11-20240802-en
General
-
Target
PO23100070.exe
-
Size
657KB
-
MD5
885f5a1ad4e095da19fe160b8901cb45
-
SHA1
5cc5a214ea49654280f3b1b842c1b8a3e772ebcb
-
SHA256
03d70e61c415e7a0e2ec76c31cdaa056d05ba4a0c5424611df5b5b69c1415ff9
-
SHA512
88cb9242d726db4e73194716090b17ef76c79f422d8931a960a4d9066b5415c447c32614df5a613c28712e4231ef64cf00d58d7cfff0db9e75adf72d610e806b
-
SSDEEP
12288:WLKWTG4mCQGO93AI+6Z3i+wjYFTcqODJDKQhYLQ:0xTPeStjYFYqqDKQH
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mbarieservicesltd.com - Port:
587 - Username:
[email protected] - Password:
*o9H+18Q4%;M - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4608 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO23100070.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO23100070.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO23100070.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1640 set thread context of 4472 1640 PO23100070.exe 76 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PO23100070.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PO23100070.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4608 powershell.exe 4608 powershell.exe 4608 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4472 PO23100070.exe Token: SeDebugPrivilege 4608 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1640 wrote to memory of 4608 1640 PO23100070.exe 74 PID 1640 wrote to memory of 4608 1640 PO23100070.exe 74 PID 1640 wrote to memory of 4608 1640 PO23100070.exe 74 PID 1640 wrote to memory of 4472 1640 PO23100070.exe 76 PID 1640 wrote to memory of 4472 1640 PO23100070.exe 76 PID 1640 wrote to memory of 4472 1640 PO23100070.exe 76 PID 1640 wrote to memory of 4472 1640 PO23100070.exe 76 PID 1640 wrote to memory of 4472 1640 PO23100070.exe 76 PID 1640 wrote to memory of 4472 1640 PO23100070.exe 76 PID 1640 wrote to memory of 4472 1640 PO23100070.exe 76 PID 1640 wrote to memory of 4472 1640 PO23100070.exe 76 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO23100070.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO23100070.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO23100070.exe"C:\Users\Admin\AppData\Local\Temp\PO23100070.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO23100070.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\PO23100070.exe"C:\Users\Admin\AppData\Local\Temp\PO23100070.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4472
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a