Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14/01/2025, 01:31 UTC

General

  • Target

    e2670bb60cc7f97b28f85e73446e80ee65bd2863b662029aa2201fb8e30fabca.exe

  • Size

    1.5MB

  • MD5

    8d74e66b2bdcbcfb6aa7c4c54b44a0a6

  • SHA1

    e6bbae6c93c0ef06597eca50a02327d22dfe4e10

  • SHA256

    e2670bb60cc7f97b28f85e73446e80ee65bd2863b662029aa2201fb8e30fabca

  • SHA512

    b97574494c3c2c2902e75fb21274ece399c2769f9c0bc17a6e999532b9018656c3c1391c3a18c4b7a36735f4ceb9629bfdebba165ae92b53b8a989dbbb39511e

  • SSDEEP

    24576:T7D0ycznC5JO5NlLZXTW/U9v1RIAhjLoamMiX4lNmZg0YxegPbUIDPP:T7YvC5JO5NlLZDFLjLoyEkmZ9Y14

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.translogship.co.in
  • Port:
    587
  • Username:
    bhandary@translogship.co.in
  • Password:
    kolkata@19
  • Email To:
    hokota@contrivekota.in

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • AgentTesla payload 5 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2670bb60cc7f97b28f85e73446e80ee65bd2863b662029aa2201fb8e30fabca.exe
    "C:\Users\Admin\AppData\Local\Temp\e2670bb60cc7f97b28f85e73446e80ee65bd2863b662029aa2201fb8e30fabca.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uaGtoafFRF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC46.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2804
    • C:\Users\Admin\AppData\Local\Temp\e2670bb60cc7f97b28f85e73446e80ee65bd2863b662029aa2201fb8e30fabca.exe
      "{path}"
      2⤵
        PID:2700
      • C:\Users\Admin\AppData\Local\Temp\e2670bb60cc7f97b28f85e73446e80ee65bd2863b662029aa2201fb8e30fabca.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpAC46.tmp

      Filesize

      1KB

      MD5

      37df90fe4073a17dc7ca110c2d74014c

      SHA1

      66ce34d84e86241da0d2eae8942d03b3c03e31da

      SHA256

      ffe261de3cf2c38cd218af17a6239740d2695d56f28273c74d8a556c8f17b495

      SHA512

      33d85500c5d5207c986e13eb42212030fbf2ccc0a21279b7cd99981c5647d18bb1567ae4345fab9ffa34a0534db2c711f6161da9c8e5deb1b3142521f148525a

    • memory/2712-14-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2712-20-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2712-27-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

    • memory/2712-26-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

    • memory/2712-25-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

    • memory/2712-24-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

    • memory/2712-13-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2712-22-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2712-15-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2712-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2712-12-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2712-18-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2760-2-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

    • memory/2760-1-0x0000000000180000-0x0000000000300000-memory.dmp

      Filesize

      1.5MB

    • memory/2760-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

      Filesize

      4KB

    • memory/2760-8-0x00000000009C0000-0x00000000009FC000-memory.dmp

      Filesize

      240KB

    • memory/2760-7-0x0000000005330000-0x00000000053B2000-memory.dmp

      Filesize

      520KB

    • memory/2760-23-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

    • memory/2760-6-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

    • memory/2760-5-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

      Filesize

      4KB

    • memory/2760-4-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

    • memory/2760-3-0x0000000000560000-0x000000000056A000-memory.dmp

      Filesize

      40KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.