Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/12/2024, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
K98766700.exe
Resource
win7-20240903-en
General
-
Target
K98766700.exe
-
Size
589KB
-
MD5
e39c7cf026df55a909a7e18eea93b027
-
SHA1
1a41eb5df90bcc53c0a80ce38fa99747de6eb237
-
SHA256
b862fbe92f3de0e033b66e3c9d3afad4d6ff41d8b3553094f66a98db6ba59f0c
-
SHA512
711c3fddc4aaa37afa6f1c11ff426edfe19ebfae6d955abd23699887d9cf5f31038c2812ac526190d3c7d4fa7a094117be45d75acc6b16fd80c1d13d2eb426f6
-
SSDEEP
12288:zVAf8axZKrGhdYzjLKUxlyQs6U2+8sq6hcBy+QjnHYyFhqaX3ub:GZKrudYzjL/xp95b6RbCaX3ub
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.antoniomayol.com:21 - Port:
21 - Username:
[email protected] - Password:
cMhKDQUk1{;%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" K98766700.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions K98766700.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2732 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools K98766700.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion K98766700.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion K98766700.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA K98766700.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" K98766700.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum K98766700.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 K98766700.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2712 set thread context of 2720 2712 K98766700.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2732 powershell.exe 2720 AddInProcess32.exe 2720 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2720 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2732 2712 K98766700.exe 32 PID 2712 wrote to memory of 2732 2712 K98766700.exe 32 PID 2712 wrote to memory of 2732 2712 K98766700.exe 32 PID 2712 wrote to memory of 2720 2712 K98766700.exe 34 PID 2712 wrote to memory of 2720 2712 K98766700.exe 34 PID 2712 wrote to memory of 2720 2712 K98766700.exe 34 PID 2712 wrote to memory of 2720 2712 K98766700.exe 34 PID 2712 wrote to memory of 2720 2712 K98766700.exe 34 PID 2712 wrote to memory of 2720 2712 K98766700.exe 34 PID 2712 wrote to memory of 2720 2712 K98766700.exe 34 PID 2712 wrote to memory of 2720 2712 K98766700.exe 34 PID 2712 wrote to memory of 2720 2712 K98766700.exe 34 PID 2712 wrote to memory of 2616 2712 K98766700.exe 35 PID 2712 wrote to memory of 2616 2712 K98766700.exe 35 PID 2712 wrote to memory of 2616 2712 K98766700.exe 35 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" K98766700.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\K98766700.exe"C:\Users\Admin\AppData\Local\Temp\K98766700.exe"1⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\K98766700.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2712 -s 8042⤵PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
2