Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/02/2025, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice.pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Proforma Invoice.pdf.exe
Resource
win10v2004-20241007-en
General
-
Target
Proforma Invoice.pdf.exe
-
Size
1.5MB
-
MD5
1faddd5b9d93e407e103e3065f1ed07f
-
SHA1
31b14aa6cb25239e8087e07af03178e446a50f97
-
SHA256
034cf32f26c06977510bb01c37167b100e949f88ba0073fd603d3cc909c9e3a3
-
SHA512
b0f419d3b558d49707f89897c426238a60ae02385176e4dd7fb9629c2471c75ca23692334d3e1e2e5ba30674dbb46d657d7acbf7f79a68569a69ed7a38d227b3
-
SSDEEP
24576:5AOcZAZwsp2RE/lPpVDcOOxYp2aGAuvZG31RMaas/xZvihMhi9+zOgQVUWT5:zSsZiipFQA3XM9oUsi9LPT5
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579
Extracted
agenttesla
https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Blustealer family
-
Executes dropped EXE 3 IoCs
pid Process 1960 DL NETIVE BOTNET LOGS.exe 1720 ffxusf.pif 2656 RegSvcs.exe -
Loads dropped DLL 10 IoCs
pid Process 2552 Proforma Invoice.pdf.exe 2552 Proforma Invoice.pdf.exe 2552 Proforma Invoice.pdf.exe 2552 Proforma Invoice.pdf.exe 2552 Proforma Invoice.pdf.exe 2552 Proforma Invoice.pdf.exe 2552 Proforma Invoice.pdf.exe 2552 Proforma Invoice.pdf.exe 2552 Proforma Invoice.pdf.exe 1720 ffxusf.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\5_54\\ffxusf.pif C:\\Users\\Admin\\AppData\\Roaming\\5_54\\kppvhvxa.gnl" ffxusf.pif -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1960 set thread context of 1632 1960 DL NETIVE BOTNET LOGS.exe 33 PID 1720 set thread context of 2656 1720 ffxusf.pif 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Proforma Invoice.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DL NETIVE BOTNET LOGS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxusf.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2656 RegSvcs.exe 2656 RegSvcs.exe 2656 RegSvcs.exe 2656 RegSvcs.exe 2656 RegSvcs.exe 2656 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2656 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1960 DL NETIVE BOTNET LOGS.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2552 wrote to memory of 1960 2552 Proforma Invoice.pdf.exe 31 PID 2552 wrote to memory of 1960 2552 Proforma Invoice.pdf.exe 31 PID 2552 wrote to memory of 1960 2552 Proforma Invoice.pdf.exe 31 PID 2552 wrote to memory of 1960 2552 Proforma Invoice.pdf.exe 31 PID 2552 wrote to memory of 1720 2552 Proforma Invoice.pdf.exe 32 PID 2552 wrote to memory of 1720 2552 Proforma Invoice.pdf.exe 32 PID 2552 wrote to memory of 1720 2552 Proforma Invoice.pdf.exe 32 PID 2552 wrote to memory of 1720 2552 Proforma Invoice.pdf.exe 32 PID 2552 wrote to memory of 1720 2552 Proforma Invoice.pdf.exe 32 PID 2552 wrote to memory of 1720 2552 Proforma Invoice.pdf.exe 32 PID 2552 wrote to memory of 1720 2552 Proforma Invoice.pdf.exe 32 PID 1960 wrote to memory of 1632 1960 DL NETIVE BOTNET LOGS.exe 33 PID 1960 wrote to memory of 1632 1960 DL NETIVE BOTNET LOGS.exe 33 PID 1960 wrote to memory of 1632 1960 DL NETIVE BOTNET LOGS.exe 33 PID 1960 wrote to memory of 1632 1960 DL NETIVE BOTNET LOGS.exe 33 PID 1960 wrote to memory of 1632 1960 DL NETIVE BOTNET LOGS.exe 33 PID 1960 wrote to memory of 1632 1960 DL NETIVE BOTNET LOGS.exe 33 PID 1960 wrote to memory of 1632 1960 DL NETIVE BOTNET LOGS.exe 33 PID 1960 wrote to memory of 1632 1960 DL NETIVE BOTNET LOGS.exe 33 PID 1960 wrote to memory of 1632 1960 DL NETIVE BOTNET LOGS.exe 33 PID 1720 wrote to memory of 2656 1720 ffxusf.pif 34 PID 1720 wrote to memory of 2656 1720 ffxusf.pif 34 PID 1720 wrote to memory of 2656 1720 ffxusf.pif 34 PID 1720 wrote to memory of 2656 1720 ffxusf.pif 34 PID 1720 wrote to memory of 2656 1720 ffxusf.pif 34 PID 1720 wrote to memory of 2656 1720 ffxusf.pif 34 PID 1720 wrote to memory of 2656 1720 ffxusf.pif 34 PID 1720 wrote to memory of 2656 1720 ffxusf.pif 34 PID 1720 wrote to memory of 2656 1720 ffxusf.pif 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.pdf.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Roaming\5_54\DL NETIVE BOTNET LOGS.exe"C:\Users\Admin\AppData\Roaming\5_54\DL NETIVE BOTNET LOGS.exe" A Pakistan International Airlines passenger aircraft (pictured)2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
PID:1632
-
-
-
C:\Users\Admin\AppData\Roaming\5_54\ffxusf.pif"C:\Users\Admin\AppData\Roaming\5_54\ffxusf.pif" kppvhvxa.gnl2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2656
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5e5f855ae4f688c1a1555664d3d00f4e5
SHA1666a3af218c44d7ded9726cb13b98362e2dbddc5
SHA2565b2eaee4169be6652f2e0df372b420612b302f6514a4db0633661a0bb172336f
SHA5126e09b04bd11fbfb22a24a6c08ddd38b8b18c4a69ceccaad7d767251319f32e8c422977a79ba14dc7c04a4f31e047560403611c9699b05985c87c875fc43a43ff
-
Filesize
419KB
MD5884d858f9d00db8a9a9364a2dc3b6b63
SHA11c07cd370d022b168679fb92ec6b138c862f4ed4
SHA25634859dc0d250dd2e7f6b222265967ac90bf33ea7719612923aab46a2bf7466c2
SHA512cf50c264ad46923ae2ab66df775cff74e14160617bc688da5d88f1f970542d59f10adaf739bf0f31dde7a8bf7def9807bf837a8405265ab84ca3c32036e19f84
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f