Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2da496c1cd...cd.exe

windows7-x64

10

2da496c1cd...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 14:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd.exe

  • Size

    880KB

  • MD5

    2848499aebee5841059bad117a1ab308

  • SHA1

    5edcf56b7813b75ce4abb8df12bf9e15e99f3a37

  • SHA256

    2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd

  • SHA512

    747c2630e280e5e7b2e49d53bdfead37d6d0a796902ded9ce5a2f6b159dc4a6054d892f58385e8b0d9c11192e3546703b03ab938d8739ddf9d2b34d85653ca7c

  • SSDEEP

    12288:4VusZ6Gkd8j0Ik2aBfxJVTigpzyxtnP2aN3zFxSFNtHflLBXFmhoWeVKmMzuX0J:Gkdw0qan/igAiExK/lLB1u3KYuX0J

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.iaa-airferight.com
  • Port:
    587
  • Username:
    web@iaa-airferight.com
  • Password:
    webmaster
  • Email To:
    mail@iaa-airferight.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd.exe
    "C:\Users\Admin\AppData\Local\Temp\2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bBcTIznEmDz.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bBcTIznEmDz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F90.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2800
    • C:\Users\Admin\AppData\Local\Temp\2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd.exe
      "C:\Users\Admin\AppData\Local\Temp\2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628

Network

  • flag-us
    DNS
    api.ipify.org
    2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    104.26.12.205
  • flag-us
    GET
    https://api.ipify.org/
    2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd.exe
    Remote address:
    172.67.74.152:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 08 Oct 2024 14:02:36 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8cf6ab6b384f76d5-LHR
  • 172.67.74.152:443
    https://api.ipify.org/
    tls, http
    2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd.exe
    919 B
     3.8kB
     10
    10

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 8.8.8.8:53
    api.ipify.org
    dns
    2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd.exe
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    172.67.74.152
    104.26.13.205
    104.26.12.205

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3F90.tmp
    Filesize

    1KB

    MD5

    075d986e2e9c3047fd10ea19c91b6781

    SHA1

    c68f0a3f00863257881b94c33dd0b9d28bce0d36

    SHA256

    e394141b4387e68adb6628bb052b8f072c056fe0db8aa036e1be6b69bbc1b475

    SHA512

    ae72a9587d2e33d9aec7d68dcea5d2ecb926c0ac929675785412bc247e5b7fc63da38368d007808239f2af19686f73f08b78c0b6e137629d25d4cf2a2b929994

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\77GGXZ70WMO2C0BL9PWY.temp
    Filesize

    7KB

    MD5

    4477d61d92fde8c37c2aba94e5653afc

    SHA1

    bbc8e3dd26c34482bf039cf586a68d88de1c6a67

    SHA256

    11350dafcd669c8426ea0234200b67271065caf3f544a9c81bc6a31abc2b38c1

    SHA512

    7eb5f05a369f1a9f64ca642ffb3ff1e2bbbedad9d25b91b217237a694bb274f07583c2f993062be6e2b28b3ed56d2791638abbdef80e2c1dc9b1c4b996706b1f

    Download Submit

  • memory/2184-4-0x000000007490E000-0x000000007490F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2184-32-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2184-0-0x000000007490E000-0x000000007490F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2184-5-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2184-6-0x00000000053F0000-0x0000000005472000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2184-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2184-1-0x0000000000CD0000-0x0000000000DB2000-memory.dmp

    Filesize

    904KB

    Download

  • memory/2184-3-0x0000000000360000-0x0000000000370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2628-31-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2628-28-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2628-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2628-25-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2628-23-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2628-19-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2628-21-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2628-29-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.