Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe
Resource
win10v2004-20240802-en
General
-
Target
Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe
-
Size
1.5MB
-
MD5
cc158aa6faf4d7abc757d357ac0b111b
-
SHA1
693a957e2210967db1b81b2eac16c84ad5ca94f8
-
SHA256
56e087b21f37332101df269e8ca633b63c00d5eddc6b6ebe276a75da8a2c942f
-
SHA512
3f30e11dd2c46ba3ae577d132dbfc79c403b489b1f5c1a0103e4e84f3f812c80faff8cf218d427a9af873e38eef96b60839b0a121887b66e5951e8fb5c2163fa
-
SSDEEP
12288:cCygz6bfdp5RnvciPNLBBgYCuyVkfemJ2DkI0PsH77MwAQ6H+Uy1Susr8MmH3jD:Dof5RnEIL8u0TDkTk5BZZS5R0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.greengroup.pk - Port:
587 - Username:
[email protected] - Password:
@@@greentech123###
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
resource yara_rule behavioral1/memory/2736-19-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2736-23-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2736-16-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2736-15-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2736-21-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2480 set thread context of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2968 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 2736 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 2736 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe Token: SeDebugPrivilege 2736 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2736 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2968 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 31 PID 2480 wrote to memory of 2968 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 31 PID 2480 wrote to memory of 2968 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 31 PID 2480 wrote to memory of 2968 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 31 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 PID 2480 wrote to memory of 2736 2480 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe 33 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe"C:\Users\Admin\AppData\Local\Temp\Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEgYcR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B8D.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe"C:\Users\Admin\AppData\Local\Temp\Quotion and Basic design for crownex LLC Targeted For August 2021 for Installation.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5287405f7af21ed4a371b5dc1b3f52f1c
SHA1d59ec7fa48c88af7c526a9e2ddfad507369d6473
SHA2565fc0456a397127334d3bbbe0f516f03a12aef096b8689ee9ba44fa22c3a46dc3
SHA51273d1996f7cafa2ed97374f79dc6677e88498ecaf95a3f70a3f5cabeb61f81f85d16f25808a7d60f654aa99c663f121246d313c7453badf92ad9e72523b8e82dd