Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
02/01/2025, 11:03
250102-m5tcvs1rer 10Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 11:03
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Docs PO888748IJ.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Shipping Docs PO888748IJ.exe
Resource
win10v2004-20241007-en
General
-
Target
Shipping Docs PO888748IJ.exe
-
Size
475KB
-
MD5
cf173ca1db13dfc7237fd33630926b65
-
SHA1
783e42e20da75ea1a2fd7a02e3824f251f26cf4f
-
SHA256
1b9d152c5cd6e2904ada0ca707dbd2bb089ac59f8b07723490552a000848cc54
-
SHA512
31a7210e2ef813763225c39f5c42f00cd7899539755fd090e256ab17a16c88238e9a659bed9cf4bfd9f5bcb310fb850a6e2e04c41aaf1f2f8fd98db99fa8addc
-
SSDEEP
6144:Y9yYMqdl+a/ZNntauGBOaYcR/uVc3fTlAoOjlrrhTFInd6Xcfg9UJU8:2dMqdl+YZNorUVcvWoOJFTWndm+
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://s4.serv00.com - Port:
21 - Username:
f2241_evico - Password:
Doll650#@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "C:\\Users\\Admin\\AppData\\Roaming\\adobe\\adobe.exe" Shipping Docs PO888748IJ.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2124 set thread context of 2056 2124 Shipping Docs PO888748IJ.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shipping Docs PO888748IJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shipping Docs PO888748IJ.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2124 Shipping Docs PO888748IJ.exe 2056 Shipping Docs PO888748IJ.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2056 Shipping Docs PO888748IJ.exe 2056 Shipping Docs PO888748IJ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2056 Shipping Docs PO888748IJ.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2056 Shipping Docs PO888748IJ.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2056 2124 Shipping Docs PO888748IJ.exe 30 PID 2124 wrote to memory of 2056 2124 Shipping Docs PO888748IJ.exe 30 PID 2124 wrote to memory of 2056 2124 Shipping Docs PO888748IJ.exe 30 PID 2124 wrote to memory of 2056 2124 Shipping Docs PO888748IJ.exe 30 PID 2124 wrote to memory of 2056 2124 Shipping Docs PO888748IJ.exe 30 PID 2124 wrote to memory of 2056 2124 Shipping Docs PO888748IJ.exe 30 PID 2124 wrote to memory of 2056 2124 Shipping Docs PO888748IJ.exe 30 PID 2124 wrote to memory of 2056 2124 Shipping Docs PO888748IJ.exe 30 PID 2124 wrote to memory of 2056 2124 Shipping Docs PO888748IJ.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Docs PO888748IJ.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Docs PO888748IJ.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\Shipping Docs PO888748IJ.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Docs PO888748IJ.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2056
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1