Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07/02/2025, 01:21

General

  • Target

    SUM PROFORMA 1232.PDF.exe

  • Size

    1.4MB

  • MD5

    b37ed3ed135dfbbff76d78a660982fd9

  • SHA1

    50b666d4d379035e0e580edae06aac94c6b42a56

  • SHA256

    499fb5aee092371519794849078743df64d19a55062e74c780c81b35699db0b6

  • SHA512

    e6105a8b4444d60e5994501b085811f2f40048d3486a9fa022ff4007462bbf6f6c609e401599e3df94592155ce48d11d228d4c1851b25b3a0f6475077aaffaa9

  • SSDEEP

    24576:gAOcZXQOCV/O8xzfPep3bGPYPeZaVkpN6k77rvyOMR+ihMhi9+zOgQVUWTI:+hbeF6W6aVkpN6kDbAzsi9LPTI

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • BluStealer

    A Modular information stealer written in Visual Basic.

  • Blustealer family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SUM PROFORMA 1232.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\SUM PROFORMA 1232.PDF.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\4_510\DL NETIVE BOTNET LOGS.exe
      "C:\Users\Admin\AppData\Local\Temp\4_510\DL NETIVE BOTNET LOGS.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        PID:3040
    • C:\Users\Admin\AppData\Local\Temp\4_510\nndus.pif
      "C:\Users\Admin\AppData\Local\Temp\4_510\nndus.pif" svfbq.qii
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4_510\entvjjv.wih

    Filesize

    419KB

    MD5

    e889bda8e1d1663a1fd868e3509d3392

    SHA1

    dc046a23a136ba500a20cd91fa6c89e4f66a7cc5

    SHA256

    f283cb646b213e7309f1ca51cffbb5a9ad4711f342bbf39d2a2619cada568274

    SHA512

    d3420343c31f63040e12555c8b8d980df3cc9caa89874b395d18665f1e554df5a6e8d353e58fcec0cdfd478ebe87b888d255c509f75edf2d7542615ec824c346

  • C:\Users\Admin\AppData\Local\Temp\4_510\llfundrv.jpg

    Filesize

    60KB

    MD5

    1ad21ce3aca89e8d5a13051d897fdc76

    SHA1

    aa0afe864a3aa0f12bebe04c0ee4b8cf63a6bf33

    SHA256

    a8a61053769a450c5275d426a86a47d6dd1e02e6c7cb6da9ca31a9e4d0892b84

    SHA512

    6d456d774fdf178624c23a460f40558650d8414eed7b7c3c9a9fee07a9ec3167bfbfd905ac5ef270cf301449e595533cde546d6be4edbd0ce8055d902bd64e0c

  • \Users\Admin\AppData\Local\Temp\4_510\DL NETIVE BOTNET LOGS.exe

    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

  • \Users\Admin\AppData\Local\Temp\4_510\nndus.pif

    Filesize

    820KB

    MD5

    0c996fa7285452f1302d8c781bd72972

    SHA1

    93b2a1bce155afec134804b3a2ef6b40ac0a4178

    SHA256

    470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

    SHA512

    e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

  • \Users\Admin\AppData\Local\Temp\RegSvcs.exe

    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • memory/3040-183-0x0000000004740000-0x00000000047FC000-memory.dmp

    Filesize

    752KB

  • memory/3040-172-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/3040-176-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/3040-177-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/3040-174-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/3040-175-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/3064-192-0x0000000000240000-0x0000000000934000-memory.dmp

    Filesize

    7.0MB

  • memory/3064-195-0x0000000000240000-0x0000000000934000-memory.dmp

    Filesize

    7.0MB

  • memory/3064-194-0x0000000000240000-0x0000000000934000-memory.dmp

    Filesize

    7.0MB

  • memory/3064-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3064-189-0x0000000000240000-0x0000000000934000-memory.dmp

    Filesize

    7.0MB

  • memory/3064-197-0x0000000000240000-0x000000000027A000-memory.dmp

    Filesize

    232KB