Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
17/01/2025, 02:56
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT ADVICE.exe
Resource
win7-20241023-en
General
-
Target
PAYMENT ADVICE.exe
-
Size
1.1MB
-
MD5
b6912ef99b7dc47b8f3c1ec436068255
-
SHA1
06c121cff62f9db6a9189ce9de1a3ba0c9dfeb75
-
SHA256
6a9414c298284cdbbfe72454eac3d9c3e35286dd461f5d621adb10db1d34d4b6
-
SHA512
0143558b1e4d2e12d2d609d6782acdf425ea6914926875a4f0508b64366da448870659d7fd8cd2dd61cba5ce4d5b975dce56557d36953d384d24ce2c9729c3d9
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaC1V34bcVf8DSi6DJtR:7JZoQrbTFZY1iaC1V38cx8n6DJtR
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.thelamalab.com - Port:
587 - Username:
[email protected] - Password:
Thel@malab@20!9 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs overrough.exe -
Executes dropped EXE 1 IoCs
pid Process 1988 overrough.exe -
Loads dropped DLL 1 IoCs
pid Process 2556 PAYMENT ADVICE.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000016cd7-4.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1988 set thread context of 2552 1988 overrough.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAYMENT ADVICE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language overrough.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2552 RegSvcs.exe 2552 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1988 overrough.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2552 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2556 PAYMENT ADVICE.exe 2556 PAYMENT ADVICE.exe 1988 overrough.exe 1988 overrough.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2556 PAYMENT ADVICE.exe 2556 PAYMENT ADVICE.exe 1988 overrough.exe 1988 overrough.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2556 wrote to memory of 1988 2556 PAYMENT ADVICE.exe 30 PID 2556 wrote to memory of 1988 2556 PAYMENT ADVICE.exe 30 PID 2556 wrote to memory of 1988 2556 PAYMENT ADVICE.exe 30 PID 2556 wrote to memory of 1988 2556 PAYMENT ADVICE.exe 30 PID 1988 wrote to memory of 2552 1988 overrough.exe 31 PID 1988 wrote to memory of 2552 1988 overrough.exe 31 PID 1988 wrote to memory of 2552 1988 overrough.exe 31 PID 1988 wrote to memory of 2552 1988 overrough.exe 31 PID 1988 wrote to memory of 2552 1988 overrough.exe 31 PID 1988 wrote to memory of 2552 1988 overrough.exe 31 PID 1988 wrote to memory of 2552 1988 overrough.exe 31 PID 1988 wrote to memory of 2552 1988 overrough.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\flexuosely\overrough.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234KB
MD5fa272827e3234d8d130078167dce6d22
SHA1f7866a3c99f24852b174f9cbe85844bd85a1b836
SHA256e72117e7913bc9fc70c0a1c89bd48cbb89684fb3d87d1d8c6a2856333d1e2245
SHA512177721f0af3d80e1e776135810e113042dd4f6551cf4cef75f74c70790e02f3b842aa013537e3ae847010fc16fb5ce2194348e0ab4dc26dc2c7dee5bc34705d7
-
Filesize
1.1MB
MD5b6912ef99b7dc47b8f3c1ec436068255
SHA106c121cff62f9db6a9189ce9de1a3ba0c9dfeb75
SHA2566a9414c298284cdbbfe72454eac3d9c3e35286dd461f5d621adb10db1d34d4b6
SHA5120143558b1e4d2e12d2d609d6782acdf425ea6914926875a4f0508b64366da448870659d7fd8cd2dd61cba5ce4d5b975dce56557d36953d384d24ce2c9729c3d9