Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Shipping D...51.exe

windows7-x64

3

Shipping D...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2025, 07:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping Docs Waybill No 2009 xxxx 351.exe

  • Size

    1.1MB

  • MD5

    354725d3df06a1f01c0fe40b5613f21f

  • SHA1

    28a300ab00a8e2d8b218adc084a2b946309d4fb7

  • SHA256

    635e20a681b1d8e8a4318e345cff50dc04cbd032a7414640137cbf5fa1c09a84

  • SHA512

    9c8b7807ce0531a688c26426b90352a6d21f9cfe7df480d484bea46d451ba5e6f6a56570a86a6be6673a6e38013ddb46bfbdfa9115c216c7807c6fec5218b78e

  • SSDEEP

    24576:yr/LaBQDJDFlGOhvP7iUOpqYqjpYlA7dfUWTpSuaWV0cMc92:yvvDrGkvP7iUw98p57dflbaWOcMC2

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://s4.serv00.com
  • Port:
    21
  • Username:
    f2241_evica
  • Password:
    Doll650@@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3528
      • C:\Users\Admin\AppData\Local\Temp\Shipping Docs Waybill No 2009 xxxx 351.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipping Docs Waybill No 2009 xxxx 351.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3240
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1048

    Network

    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      167.173.78.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      167.173.78.104.in-addr.arpa
      IN PTR
      Response
      167.173.78.104.in-addr.arpa
      IN PTR
      a104-78-173-167deploystaticakamaitechnologiescom
    • flag-us
      DNS
      api.ipify.org
      InstallUtil.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN A
      172.67.74.152
      api.ipify.org
      IN A
      104.26.12.205
      api.ipify.org
      IN A
      104.26.13.205
    • flag-us
      GET
      https://api.ipify.org/
      InstallUtil.exe
      Remote address:
      172.67.74.152:443
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
      Host: api.ipify.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Mon, 13 Jan 2025 07:16:33 GMT
      Content-Type: text/plain
      Content-Length: 14
      Connection: keep-alive
      Vary: Origin
      CF-Cache-Status: DYNAMIC
      Server: cloudflare
      CF-RAY: 901399fa88bb777f-LHR
      server-timing: cfL4;desc="?proto=TCP&rtt=53025&min_rtt=47872&rtt_var=22947&sent=6&recv=5&lost=0&retrans=0&sent_bytes=2980&recv_bytes=452&delivery_rate=66676&cwnd=243&unsent_bytes=0&cid=dbc7eba60c628f40&ts=217&x=0"
    • flag-us
      DNS
      152.74.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      152.74.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      24.66.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.66.18.2.in-addr.arpa
      IN PTR
      Response
      24.66.18.2.in-addr.arpa
      IN PTR
      a2-18-66-24deploystaticakamaitechnologiescom
    • flag-us
      DNS
      249.110.86.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      249.110.86.104.in-addr.arpa
      IN PTR
      Response
      249.110.86.104.in-addr.arpa
      IN PTR
      a104-86-110-249deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 172.67.74.152:443
      https://api.ipify.org/
      tls, http
      InstallUtil.exe
      854 B
       3.8kB
       9
      9

      HTTP Request

      GET https://api.ipify.org/

      HTTP Response

      200
    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      23.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      167.173.78.104.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      167.173.78.104.in-addr.arpa

    • 8.8.8.8:53
      api.ipify.org
      dns
      InstallUtil.exe
      59 B
       107 B
       1
      1

      DNS Request

      api.ipify.org

      DNS Response

      172.67.74.152
      104.26.12.205
      104.26.13.205

    • 8.8.8.8:53
      152.74.67.172.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      152.74.67.172.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      24.66.18.2.in-addr.arpa
      dns
      69 B
       131 B
       1
      1

      DNS Request

      24.66.18.2.in-addr.arpa

    • 8.8.8.8:53
      249.110.86.104.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      249.110.86.104.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1048-1342-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1048-1345-0x0000000005330000-0x0000000005396000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1048-1344-0x00000000745D0000-0x0000000074D80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1048-1343-0x00000000745D0000-0x0000000074D80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1048-1348-0x0000000006890000-0x00000000068E0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1048-1351-0x00000000745D0000-0x0000000074D80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1048-1350-0x0000000006B30000-0x0000000006B3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1048-1349-0x0000000006980000-0x0000000006A12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3240-30-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-22-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-5-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-62-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-66-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-64-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-58-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-56-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-60-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-54-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-52-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-51-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-48-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-46-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-42-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-40-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-38-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-36-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-34-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-32-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-10-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-26-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-24-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-12-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-20-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-18-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-14-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-44-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-28-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-16-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-9-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-6-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-3-0x0000000005AC0000-0x0000000005BCC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3240-1325-0x00000000745D0000-0x0000000074D80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3240-1326-0x00000000745D0000-0x0000000074D80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3240-1327-0x0000000005BD0000-0x0000000005C3C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/3240-1328-0x0000000005C80000-0x0000000005CEA000-memory.dmp

      Filesize

      424KB

      Download

    • memory/3240-1329-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3240-1330-0x00000000745DE000-0x00000000745DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3240-1331-0x00000000745D0000-0x0000000074D80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3240-2-0x0000000005AC0000-0x0000000005BD2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3240-1-0x0000000000F80000-0x00000000010A4000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3240-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3240-1332-0x0000000006610000-0x0000000006BB4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3240-1333-0x0000000005F60000-0x0000000005FB4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/3240-1337-0x00000000745D0000-0x0000000074D80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3240-1340-0x00000000745D0000-0x0000000074D80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3240-1341-0x00000000745D0000-0x0000000074D80000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.