Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/01/2025, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
RHGP0987090G.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RHGP0987090G.rtf
Resource
win10v2004-20241007-en
General
-
Target
RHGP0987090G.rtf
-
Size
7KB
-
MD5
a8cfd32e2bd9180b0b7bf1dcdc880f99
-
SHA1
8e162cf763f149ac2d6436de1808df569a75f72b
-
SHA256
dfade43b170cbeefcb58db57df4095fb2c109f85af3dd6bc514cbf2a9d86b2b9
-
SHA512
6527d65392aec4e53d8fd65f26c1a5f5169b17e6332b9362bf0202cacddc175cf8ddaaf1d8f0392100dfb6c75e582091fbf0e5235f77d427ca67c4a8120938d2
-
SSDEEP
48:OVcoVYEENMxQcvWvnCAJcSYl+UaOhkoq/lfwdPiLwmv7vpE8IMh7BqlEMAZRgFlk:435vibc3ksoidKLHvxIMh74l31AzOi
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.antoniomayol.com:21 - Port:
21 - Username:
[email protected] - Password:
cMhKDQUk1{;%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 792 EQNEDT32.EXE -
Downloads MZ/PE file 1 IoCs
flow pid Process 5 792 EQNEDT32.EXE -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resharing.vbs resharing.exe -
Executes dropped EXE 2 IoCs
pid Process 2912 name.exe 2620 resharing.exe -
Loads dropped DLL 5 IoCs
pid Process 792 EQNEDT32.EXE 792 EQNEDT32.EXE 792 EQNEDT32.EXE 792 EQNEDT32.EXE 2912 name.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2912-43-0x0000000000290000-0x00000000003C8000-memory.dmp autoit_exe behavioral1/memory/2620-65-0x0000000001360000-0x0000000001498000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2620 set thread context of 1092 2620 resharing.exe 36 -
resource yara_rule behavioral1/files/0x0007000000018c1a-8.dat upx behavioral1/memory/2912-22-0x0000000000290000-0x00000000003C8000-memory.dmp upx behavioral1/memory/2620-45-0x0000000001360000-0x0000000001498000-memory.dmp upx behavioral1/memory/2912-40-0x0000000002A90000-0x0000000002BC8000-memory.dmp upx behavioral1/memory/2912-43-0x0000000000290000-0x00000000003C8000-memory.dmp upx behavioral1/memory/2620-65-0x0000000001360000-0x0000000001498000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resharing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 792 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1092 RegSvcs.exe 1092 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2620 resharing.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1092 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2912 name.exe 2912 name.exe 2620 resharing.exe 2620 resharing.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2912 name.exe 2912 name.exe 2620 resharing.exe 2620 resharing.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2540 WINWORD.EXE 2540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 792 wrote to memory of 2912 792 EQNEDT32.EXE 33 PID 792 wrote to memory of 2912 792 EQNEDT32.EXE 33 PID 792 wrote to memory of 2912 792 EQNEDT32.EXE 33 PID 792 wrote to memory of 2912 792 EQNEDT32.EXE 33 PID 2912 wrote to memory of 2620 2912 name.exe 35 PID 2912 wrote to memory of 2620 2912 name.exe 35 PID 2912 wrote to memory of 2620 2912 name.exe 35 PID 2912 wrote to memory of 2620 2912 name.exe 35 PID 2620 wrote to memory of 1092 2620 resharing.exe 36 PID 2620 wrote to memory of 1092 2620 resharing.exe 36 PID 2620 wrote to memory of 1092 2620 resharing.exe 36 PID 2620 wrote to memory of 1092 2620 resharing.exe 36 PID 2620 wrote to memory of 1092 2620 resharing.exe 36 PID 2620 wrote to memory of 1092 2620 resharing.exe 36 PID 2620 wrote to memory of 1092 2620 resharing.exe 36 PID 2620 wrote to memory of 1092 2620 resharing.exe 36 PID 2540 wrote to memory of 1988 2540 WINWORD.EXE 38 PID 2540 wrote to memory of 1988 2540 WINWORD.EXE 38 PID 2540 wrote to memory of 1988 2540 WINWORD.EXE 38 PID 2540 wrote to memory of 1988 2540 WINWORD.EXE 38
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RHGP0987090G.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1988
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\name.exe"C:\Users\Admin\AppData\Local\Temp\name.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\carryover\resharing.exe"C:\Users\Admin\AppData\Local\Temp\name.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\name.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
534KB
MD5375d1d9a080b5533da09c98716c40f0d
SHA1cb1e3e386b935eb999b319c1b6ae0b5b6bedf6ef
SHA25686ccb2e2b2b1780ec85596c64030ce2525145afa00f9e3db1c3582c4f4afe7e6
SHA512da8b7b76c532a568d4d2cad2227591b2a372687dd2b47cf369d09e7b7d67b2b6e5976894a8b59c635ebc67d18c10543de316051aad1191641a05a79b80e02b35