Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07/02/2025, 01:21
Static task
static1
Behavioral task
behavioral1
Sample
SUM PROFORMA 1232.PDF.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
SUM PROFORMA 1232.PDF.exe
Resource
win10v2004-20250129-en
General
-
Target
SUM PROFORMA 1232.PDF.exe
-
Size
1.4MB
-
MD5
b37ed3ed135dfbbff76d78a660982fd9
-
SHA1
50b666d4d379035e0e580edae06aac94c6b42a56
-
SHA256
499fb5aee092371519794849078743df64d19a55062e74c780c81b35699db0b6
-
SHA512
e6105a8b4444d60e5994501b085811f2f40048d3486a9fa022ff4007462bbf6f6c609e401599e3df94592155ce48d11d228d4c1851b25b3a0f6475077aaffaa9
-
SSDEEP
24576:gAOcZXQOCV/O8xzfPep3bGPYPeZaVkpN6k77rvyOMR+ihMhi9+zOgQVUWTI:+hbeF6W6aVkpN6kDbAzsi9LPTI
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579
Extracted
agenttesla
https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Blustealer family
-
Executes dropped EXE 3 IoCs
pid Process 2028 DL NETIVE BOTNET LOGS.exe 1508 nndus.pif 3064 RegSvcs.exe -
Loads dropped DLL 10 IoCs
pid Process 3020 SUM PROFORMA 1232.PDF.exe 3020 SUM PROFORMA 1232.PDF.exe 3020 SUM PROFORMA 1232.PDF.exe 3020 SUM PROFORMA 1232.PDF.exe 3020 SUM PROFORMA 1232.PDF.exe 3020 SUM PROFORMA 1232.PDF.exe 3020 SUM PROFORMA 1232.PDF.exe 3020 SUM PROFORMA 1232.PDF.exe 3020 SUM PROFORMA 1232.PDF.exe 1508 nndus.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4_510\\nndus.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\4_510\\svfbq.qii" nndus.pif -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2028 set thread context of 3040 2028 DL NETIVE BOTNET LOGS.exe 32 PID 1508 set thread context of 3064 1508 nndus.pif 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SUM PROFORMA 1232.PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DL NETIVE BOTNET LOGS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nndus.pif -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3064 RegSvcs.exe 3064 RegSvcs.exe 3064 RegSvcs.exe 3064 RegSvcs.exe 3064 RegSvcs.exe 3064 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3064 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2028 DL NETIVE BOTNET LOGS.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2028 3020 SUM PROFORMA 1232.PDF.exe 30 PID 3020 wrote to memory of 2028 3020 SUM PROFORMA 1232.PDF.exe 30 PID 3020 wrote to memory of 2028 3020 SUM PROFORMA 1232.PDF.exe 30 PID 3020 wrote to memory of 2028 3020 SUM PROFORMA 1232.PDF.exe 30 PID 3020 wrote to memory of 1508 3020 SUM PROFORMA 1232.PDF.exe 31 PID 3020 wrote to memory of 1508 3020 SUM PROFORMA 1232.PDF.exe 31 PID 3020 wrote to memory of 1508 3020 SUM PROFORMA 1232.PDF.exe 31 PID 3020 wrote to memory of 1508 3020 SUM PROFORMA 1232.PDF.exe 31 PID 3020 wrote to memory of 1508 3020 SUM PROFORMA 1232.PDF.exe 31 PID 3020 wrote to memory of 1508 3020 SUM PROFORMA 1232.PDF.exe 31 PID 3020 wrote to memory of 1508 3020 SUM PROFORMA 1232.PDF.exe 31 PID 2028 wrote to memory of 3040 2028 DL NETIVE BOTNET LOGS.exe 32 PID 2028 wrote to memory of 3040 2028 DL NETIVE BOTNET LOGS.exe 32 PID 2028 wrote to memory of 3040 2028 DL NETIVE BOTNET LOGS.exe 32 PID 2028 wrote to memory of 3040 2028 DL NETIVE BOTNET LOGS.exe 32 PID 2028 wrote to memory of 3040 2028 DL NETIVE BOTNET LOGS.exe 32 PID 2028 wrote to memory of 3040 2028 DL NETIVE BOTNET LOGS.exe 32 PID 2028 wrote to memory of 3040 2028 DL NETIVE BOTNET LOGS.exe 32 PID 2028 wrote to memory of 3040 2028 DL NETIVE BOTNET LOGS.exe 32 PID 2028 wrote to memory of 3040 2028 DL NETIVE BOTNET LOGS.exe 32 PID 1508 wrote to memory of 3064 1508 nndus.pif 33 PID 1508 wrote to memory of 3064 1508 nndus.pif 33 PID 1508 wrote to memory of 3064 1508 nndus.pif 33 PID 1508 wrote to memory of 3064 1508 nndus.pif 33 PID 1508 wrote to memory of 3064 1508 nndus.pif 33 PID 1508 wrote to memory of 3064 1508 nndus.pif 33 PID 1508 wrote to memory of 3064 1508 nndus.pif 33 PID 1508 wrote to memory of 3064 1508 nndus.pif 33 PID 1508 wrote to memory of 3064 1508 nndus.pif 33 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SUM PROFORMA 1232.PDF.exe"C:\Users\Admin\AppData\Local\Temp\SUM PROFORMA 1232.PDF.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\4_510\DL NETIVE BOTNET LOGS.exe"C:\Users\Admin\AppData\Local\Temp\4_510\DL NETIVE BOTNET LOGS.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
PID:3040
-
-
-
C:\Users\Admin\AppData\Local\Temp\4_510\nndus.pif"C:\Users\Admin\AppData\Local\Temp\4_510\nndus.pif" svfbq.qii2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3064
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
419KB
MD5e889bda8e1d1663a1fd868e3509d3392
SHA1dc046a23a136ba500a20cd91fa6c89e4f66a7cc5
SHA256f283cb646b213e7309f1ca51cffbb5a9ad4711f342bbf39d2a2619cada568274
SHA512d3420343c31f63040e12555c8b8d980df3cc9caa89874b395d18665f1e554df5a6e8d353e58fcec0cdfd478ebe87b888d255c509f75edf2d7542615ec824c346
-
Filesize
60KB
MD51ad21ce3aca89e8d5a13051d897fdc76
SHA1aa0afe864a3aa0f12bebe04c0ee4b8cf63a6bf33
SHA256a8a61053769a450c5275d426a86a47d6dd1e02e6c7cb6da9ca31a9e4d0892b84
SHA5126d456d774fdf178624c23a460f40558650d8414eed7b7c3c9a9fee07a9ec3167bfbfd905ac5ef270cf301449e595533cde546d6be4edbd0ce8055d902bd64e0c
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
820KB
MD50c996fa7285452f1302d8c781bd72972
SHA193b2a1bce155afec134804b3a2ef6b40ac0a4178
SHA256470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f
SHA512e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215