Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7feb46642a...00.exe

windows7-x64

10

7feb46642a...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2024, 01:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7feb46642a3f0b52c674a37cc97401099ca549915cda95b8129930769d323700.exe

  • Size

    613KB

  • MD5

    b8b8a28bf11f2f2fe8efe10bdc69a9b6

  • SHA1

    c66505c850b9c0797bad3daa79eeac7996862a55

  • SHA256

    7feb46642a3f0b52c674a37cc97401099ca549915cda95b8129930769d323700

  • SHA512

    ca9b88b4906835e31cf0f6f2d265227982ed1780761d650a36f08462d3f9bab42286cf4d37fcff293299bc5499cf934f0637efe48ee7963bbcecd622b7cf0ada

  • SSDEEP

    12288:3KpT0+zVTbd/MADksy09D1SBtQpFvkNgNCcl:3Kh0+tNby0xYBt0k67

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp-mail.outlook.com
  • Port:
    587
  • Username:
    importexport0200@outlook.com
  • Password:
    chinest123

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • AgentTesla payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7feb46642a3f0b52c674a37cc97401099ca549915cda95b8129930769d323700.exe
    "C:\Users\Admin\AppData\Local\Temp\7feb46642a3f0b52c674a37cc97401099ca549915cda95b8129930769d323700.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vIpRlPRUzyJd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C5D.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4676
    • C:\Users\Admin\AppData\Local\Temp\7feb46642a3f0b52c674a37cc97401099ca549915cda95b8129930769d323700.exe
      "C:\Users\Admin\AppData\Local\Temp\7feb46642a3f0b52c674a37cc97401099ca549915cda95b8129930769d323700.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4164

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4164-16-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4164-28-0x0000000074DE0000-0x0000000075590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4164-27-0x0000000074DE0000-0x0000000075590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4164-26-0x0000000006470000-0x00000000064C0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4164-24-0x0000000074DE0000-0x0000000075590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4164-23-0x0000000074DE0000-0x0000000075590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4164-22-0x0000000006290000-0x00000000062F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4164-21-0x0000000005620000-0x0000000005638000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4164-19-0x0000000074DE0000-0x0000000075590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4164-18-0x0000000074DE0000-0x0000000075590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4664-5-0x0000000074DE0000-0x0000000075590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4664-10-0x0000000006700000-0x0000000006760000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4664-9-0x00000000065B0000-0x000000000664C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4664-20-0x0000000074DE0000-0x0000000075590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4664-8-0x0000000074DE0000-0x0000000075590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4664-7-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4664-6-0x0000000006270000-0x000000000627A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4664-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4664-4-0x0000000004C80000-0x0000000004C8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4664-3-0x0000000004BD0000-0x0000000004C62000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4664-2-0x00000000052C0000-0x0000000005864000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4664-1-0x0000000000140000-0x00000000001DE000-memory.dmp

    Filesize

    632KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.