Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Invoice Co...on.exe

windows7-x64

10

Invoice Co...on.exe

windows10-2004-x64

10

Resubmissions

03/01/2025, 23:07

250103-2344xa1kcj 10

03/01/2025, 12:42

250103-pxdcsatray 10

03/01/2025, 12:26

250103-pmhvhstlhw 10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2025, 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice Confirmation.exe

  • Size

    810.6MB

  • MD5

    63395033fc8d13ddd17e74e4bb13d5d6

  • SHA1

    0a65c313504c8bcac8dc2eec944dd078a71ce384

  • SHA256

    c322c179201974d21315230539606d1292a9159527f3f2eafa9d6167e8f51ae2

  • SHA512

    4a1eb33f370ac2ba32bea1af287abe753edfa63e493e9045960303b1990c1cbdb289dd3ebd273ff87ad68b912b4e016877dd3f78b8ed5ce373a3f20b581a0718

  • SSDEEP

    12288:mIR4R52J+XtyfG+Lzb6C65feSfSecDAMEnLwh8aFfxc1C0rmZdXm8qzd9p2MIR:mIeeJfG+LNzecKiVfaBiHXU9pTI

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6882044231:AAEdfz6RtcLc5FDAwOwS8UYabnK3tQ7x4bs/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice Confirmation.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice Confirmation.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    PID:1932
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice Confirmation.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1280
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KmihxwKU.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:324
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KmihxwKU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD088.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2268
    • C:\Users\Admin\AppData\Local\Temp\Invoice Confirmation.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice Confirmation.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1764
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6769758,0x7fef6769768,0x7fef6769778
      2⤵
        PID:900
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1220,i,3418786860588828143,599414929832974855,131072 /prefetch:2
        2⤵
          PID:2772
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1220,i,3418786860588828143,599414929832974855,131072 /prefetch:8
          2⤵
            PID:2960
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1300 --field-trial-handle=1220,i,3418786860588828143,599414929832974855,131072 /prefetch:8
            2⤵
              PID:1572
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2148 --field-trial-handle=1220,i,3418786860588828143,599414929832974855,131072 /prefetch:1
              2⤵
                PID:1708
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2172 --field-trial-handle=1220,i,3418786860588828143,599414929832974855,131072 /prefetch:1
                2⤵
                  PID:980
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1460 --field-trial-handle=1220,i,3418786860588828143,599414929832974855,131072 /prefetch:2
                  2⤵
                    PID:2436
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1156 --field-trial-handle=1220,i,3418786860588828143,599414929832974855,131072 /prefetch:1
                    2⤵
                      PID:1684
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 --field-trial-handle=1220,i,3418786860588828143,599414929832974855,131072 /prefetch:8
                      2⤵
                        PID:2904
                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                      1⤵
                        PID:2916

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
                        Filesize

                        16B

                        MD5

                        aefd77f47fb84fae5ea194496b44c67a

                        SHA1

                        dcfbb6a5b8d05662c4858664f81693bb7f803b82

                        SHA256

                        4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                        SHA512

                        b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                        Filesize

                        264KB

                        MD5

                        f50f89a0a91564d0b8a211f8921aa7de

                        SHA1

                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                        SHA256

                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                        SHA512

                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                        Filesize

                        633B

                        MD5

                        67fcaac28ab1907199ca2d1c7ffba9a1

                        SHA1

                        86119b2c8c8a0af4d10428be27bdc01bbdf244e8

                        SHA256

                        ab371761588da55731f864728abbf5b8fc9caec4165d52d52176012fa95895fe

                        SHA512

                        90a928a2509c52ecc98393ab53f9ec40166fd6d8f37806bc382da477b0b6c7f3d7a5f79369cf716b480c52bef698f384bfb413595fef6bc89fd968ba7f92fb10

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                        Filesize

                        5KB

                        MD5

                        f434c6d2ddbb16efdca979c4a0432b4d

                        SHA1

                        a34219420b9d8f84d395ad77553f2e3586447115

                        SHA256

                        f604ed8fedd3d54c0f3545a73322d0f53f7b83e3511d067ab9d14b5c9abd6ce9

                        SHA512

                        07c55b718f8acdf06900202505f67f78f2bb5cb2c0dd04c4fbde012b4793c3ccc90b80716cfd64ca728972212a17553dc97c378311814401a9a6a3a24417dba6

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                        Filesize

                        5KB

                        MD5

                        be15d4cff7674ccdb5c98da46406d750

                        SHA1

                        5d174aef6f74cdda479acdc40341d12aadd73870

                        SHA256

                        3d76fbd2f1058770ae0c4b99f1383bda28cb39c483f9566287e503fb004f72d7

                        SHA512

                        3a6d0302d2d4e008aa5a1f563c9666555f46d6fdc62572268988c56660f12f3a0561712b5792b91b3ef145396add23d70d116c6949f0395329bcc5226712f7bd

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp
                        Filesize

                        16B

                        MD5

                        18e723571b00fb1694a3bad6c78e4054

                        SHA1

                        afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                        SHA256

                        8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                        SHA512

                        43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmpD088.tmp
                        Filesize

                        1KB

                        MD5

                        cf78337eb0b2be834365602cf7e093e2

                        SHA1

                        f8cdffd20a50efeb7bde12e4154f00f4a8cccadb

                        SHA256

                        218edf59ceb85ac08c62ebb30426db22c1f6c1cda45b6e9d0d974ae06864ecde

                        SHA512

                        d9bdc3ebdc5bb3f91e41c6c4b9a08cf4a92b1af36405a9cdaf94e3a6fe066af9d34de9f73a793b092700733a37da0e80a06679883e7d46e5f50f23a61a7dca0f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                        Filesize

                        7KB

                        MD5

                        f96d210d8d3d1a6250e7cb6062f31a4e

                        SHA1

                        af5ef881fbad94a7f19513d688c062e71fe50041

                        SHA256

                        c9587dcdb5376b78cb7b17699922733ad754a9658e6415b0b0d4a0b0171aa8ba

                        SHA512

                        9047d7f91f6790fe57fd9c97df77f0eeb2384f287e025f9f88460ae70c100d2b63687fe3f659fad89a02e75cacd734a57a55e462030f7fc25aa99a1b353ddffa

                        Download Submit

                      • memory/1764-67-0x0000000000400000-0x0000000000442000-memory.dmp

                        Filesize

                        264KB

                        Download

                      • memory/1764-73-0x0000000000400000-0x0000000000442000-memory.dmp

                        Filesize

                        264KB

                        Download

                      • memory/1764-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1764-77-0x0000000000400000-0x0000000000442000-memory.dmp

                        Filesize

                        264KB

                        Download

                      • memory/1764-79-0x0000000000400000-0x0000000000442000-memory.dmp

                        Filesize

                        264KB

                        Download

                      • memory/1764-76-0x0000000000400000-0x0000000000442000-memory.dmp

                        Filesize

                        264KB

                        Download

                      • memory/1764-70-0x0000000000400000-0x0000000000442000-memory.dmp

                        Filesize

                        264KB

                        Download

                      • memory/1764-71-0x0000000000400000-0x0000000000442000-memory.dmp

                        Filesize

                        264KB

                        Download

                      • memory/1932-54-0x00000000046A0000-0x0000000004726000-memory.dmp

                        Filesize

                        536KB

                        Download

                      • memory/1932-80-0x0000000073F60000-0x000000007464E000-memory.dmp

                        Filesize

                        6.9MB

                        Download

                      • memory/1932-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1932-5-0x0000000073F60000-0x000000007464E000-memory.dmp

                        Filesize

                        6.9MB

                        Download

                      • memory/1932-4-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1932-3-0x0000000000AF0000-0x0000000000B08000-memory.dmp

                        Filesize

                        96KB

                        Download

                      • memory/1932-2-0x0000000073F60000-0x000000007464E000-memory.dmp

                        Filesize

                        6.9MB

                        Download

                      • memory/1932-1-0x0000000000A30000-0x0000000000AE6000-memory.dmp

                        Filesize

                        728KB

                        Download