Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 01:21
Static task
static1
Behavioral task
behavioral1
Sample
doc01312820220921192503.pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
doc01312820220921192503.pdf.exe
Resource
win10v2004-20250129-en
General
-
Target
doc01312820220921192503.pdf.exe
-
Size
1.5MB
-
MD5
0566ce9fc8b9fadc1520c1c405c506c0
-
SHA1
69f313abba1959e57d99a690cdebbdc5e7006885
-
SHA256
46837b2b83edea93a312915b020a2aad926e18fcee577c8442853ebb8fabea13
-
SHA512
e1c3074866f9d257d077406f5ccca42f0752ce5235a3fe300977ddecfcdfe042b83238d6da22f79be643c27939e8a5857afc7d4ecaa141a8e7231df614e13d20
-
SSDEEP
24576:BAOcZuOEliE5L0ZKfCiFePXVSee+cvn7eaGAuvZG31RMaas/xG4ihMhi9+zOgQVC:bpihpigPFmJvn7tQA3XM9nxsi9LPT4
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation doc01312820220921192503.pdf.exe -
Executes dropped EXE 3 IoCs
pid Process 4772 DL NETIVE BOTNET LOGS.exe 4664 kafxmchc.pif 3208 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\8_77\\kafxmchc.pif C:\\Users\\Admin\\8_77\\vqoa.dio" kafxmchc.pif -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4664 set thread context of 3208 4664 kafxmchc.pif 90 PID 4772 set thread context of 4308 4772 DL NETIVE BOTNET LOGS.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DL NETIVE BOTNET LOGS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kafxmchc.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language doc01312820220921192503.pdf.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3208 RegSvcs.exe 3208 RegSvcs.exe 3208 RegSvcs.exe 3208 RegSvcs.exe 3208 RegSvcs.exe 3208 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3208 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4772 DL NETIVE BOTNET LOGS.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4412 wrote to memory of 4772 4412 doc01312820220921192503.pdf.exe 87 PID 4412 wrote to memory of 4772 4412 doc01312820220921192503.pdf.exe 87 PID 4412 wrote to memory of 4772 4412 doc01312820220921192503.pdf.exe 87 PID 4412 wrote to memory of 4664 4412 doc01312820220921192503.pdf.exe 89 PID 4412 wrote to memory of 4664 4412 doc01312820220921192503.pdf.exe 89 PID 4412 wrote to memory of 4664 4412 doc01312820220921192503.pdf.exe 89 PID 4664 wrote to memory of 3208 4664 kafxmchc.pif 90 PID 4664 wrote to memory of 3208 4664 kafxmchc.pif 90 PID 4664 wrote to memory of 3208 4664 kafxmchc.pif 90 PID 4664 wrote to memory of 3208 4664 kafxmchc.pif 90 PID 4664 wrote to memory of 3208 4664 kafxmchc.pif 90 PID 4772 wrote to memory of 4308 4772 DL NETIVE BOTNET LOGS.exe 93 PID 4772 wrote to memory of 4308 4772 DL NETIVE BOTNET LOGS.exe 93 PID 4772 wrote to memory of 4308 4772 DL NETIVE BOTNET LOGS.exe 93 PID 4772 wrote to memory of 4308 4772 DL NETIVE BOTNET LOGS.exe 93 PID 4772 wrote to memory of 4308 4772 DL NETIVE BOTNET LOGS.exe 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\doc01312820220921192503.pdf.exe"C:\Users\Admin\AppData\Local\Temp\doc01312820220921192503.pdf.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\8_77\DL NETIVE BOTNET LOGS.exe"C:\Users\Admin\8_77\DL NETIVE BOTNET LOGS.exe" Community portal – Bulletin board,2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
PID:4308
-
-
-
C:\Users\Admin\8_77\kafxmchc.pif"C:\Users\Admin\8_77\kafxmchc.pif" vqoa.dio2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3208
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
419KB
MD56d0effa3c91e7dab9770d542f1e13bd3
SHA1d58c60b7fc51defbfeae317125c68ff9e7ef143d
SHA256d8a82dab51ae0726e48d79efb85c1faa978db0969eeee5f1129e338fadb7cfcc
SHA5121adeb5b30dac33a7c771adfe4cbde461f8d699ad844a7432a6be463f70f4b5f9aaf0becaf28d5a8f409944c3314eeee504108dbcee2b43cec84cd8bd375a82e4
-
Filesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f
-
Filesize
56KB
MD577ae283c682140c74eb5d49dd9d26077
SHA192242f79f6cdee7ce7d3aa74e4aaea35a5fd9a6e
SHA2567277589980844745740ec546a3608225a33a7e40afd53a302a2984c4ee632d65
SHA512d3c79bc1f66df206d6655de581a84f935e700554ec5dc4191c5a9550dc57754068adf94853e795adfa6b023185f5751b1877b413ff32711b60275966f6bebb0f
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b