Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/12/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
doc02417120024.exe
Resource
win7-20240903-en
General
-
Target
doc02417120024.exe
-
Size
950KB
-
MD5
bd28f9a835c67ce45b3a3ca02f6737a2
-
SHA1
16dc478690c24f29b52186f0ed8c152007fdbaeb
-
SHA256
2f089d43e47839f07590fc97fbd2bbe91f08ff02d50b3a6b7fe68f3e1a81026d
-
SHA512
c811d48001aade05a917e89770277a0af0a5f10639c1dd63c66d99728650c877d74f843ab4c9f57847f1654fe7240606072c51383a90811ec6aeb62ee91e2290
-
SSDEEP
12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCBWGvAbhGCPvkK3X1rGs2:uRmJkcoQricOIQxiZY1iaCBtvgvLdG9J
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2128 set thread context of 2200 2128 doc02417120024.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language doc02417120024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2200 RegSvcs.exe 2200 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2128 doc02417120024.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2200 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2200 2128 doc02417120024.exe 31 PID 2128 wrote to memory of 2200 2128 doc02417120024.exe 31 PID 2128 wrote to memory of 2200 2128 doc02417120024.exe 31 PID 2128 wrote to memory of 2200 2128 doc02417120024.exe 31 PID 2128 wrote to memory of 2200 2128 doc02417120024.exe 31 PID 2128 wrote to memory of 2200 2128 doc02417120024.exe 31 PID 2128 wrote to memory of 2200 2128 doc02417120024.exe 31 PID 2128 wrote to memory of 2200 2128 doc02417120024.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD52d4142656f20e40ebcbb93ce8e567a0d
SHA113f8557b225fa9d6ebb32ee4df65e13ed11c602a
SHA2561e73812a841938226b643b351f2681fa7c97a1cfe7e24d2a5e54aa43bb822ec6
SHA512331d89c906c088216494162e896a79c80b7983861970a5c803dfcffb13e3826014b4c84b08333cfa4ac64e7a031632e7d3950acae800498acdff5d1097375acb