Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 01:21
Static task
static1
Behavioral task
behavioral1
Sample
SUM PROFORMA 1232.PDF.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
SUM PROFORMA 1232.PDF.exe
Resource
win10v2004-20250129-en
General
-
Target
SUM PROFORMA 1232.PDF.exe
-
Size
1.4MB
-
MD5
b37ed3ed135dfbbff76d78a660982fd9
-
SHA1
50b666d4d379035e0e580edae06aac94c6b42a56
-
SHA256
499fb5aee092371519794849078743df64d19a55062e74c780c81b35699db0b6
-
SHA512
e6105a8b4444d60e5994501b085811f2f40048d3486a9fa022ff4007462bbf6f6c609e401599e3df94592155ce48d11d228d4c1851b25b3a0f6475077aaffaa9
-
SSDEEP
24576:gAOcZXQOCV/O8xzfPep3bGPYPeZaVkpN6k77rvyOMR+ihMhi9+zOgQVUWTI:+hbeF6W6aVkpN6kDbAzsi9LPTI
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation SUM PROFORMA 1232.PDF.exe -
Executes dropped EXE 3 IoCs
pid Process 3204 DL NETIVE BOTNET LOGS.exe 4136 nndus.pif 1044 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4_510\\nndus.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\4_510\\svfbq.qii" nndus.pif -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4136 set thread context of 1044 4136 nndus.pif 90 PID 3204 set thread context of 1348 3204 DL NETIVE BOTNET LOGS.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SUM PROFORMA 1232.PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DL NETIVE BOTNET LOGS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nndus.pif -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 30 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1044 RegSvcs.exe 1044 RegSvcs.exe 1044 RegSvcs.exe 1044 RegSvcs.exe 1044 RegSvcs.exe 1044 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1044 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3204 DL NETIVE BOTNET LOGS.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4580 wrote to memory of 3204 4580 SUM PROFORMA 1232.PDF.exe 87 PID 4580 wrote to memory of 3204 4580 SUM PROFORMA 1232.PDF.exe 87 PID 4580 wrote to memory of 3204 4580 SUM PROFORMA 1232.PDF.exe 87 PID 4580 wrote to memory of 4136 4580 SUM PROFORMA 1232.PDF.exe 89 PID 4580 wrote to memory of 4136 4580 SUM PROFORMA 1232.PDF.exe 89 PID 4580 wrote to memory of 4136 4580 SUM PROFORMA 1232.PDF.exe 89 PID 4136 wrote to memory of 1044 4136 nndus.pif 90 PID 4136 wrote to memory of 1044 4136 nndus.pif 90 PID 4136 wrote to memory of 1044 4136 nndus.pif 90 PID 4136 wrote to memory of 1044 4136 nndus.pif 90 PID 4136 wrote to memory of 1044 4136 nndus.pif 90 PID 3204 wrote to memory of 1348 3204 DL NETIVE BOTNET LOGS.exe 96 PID 3204 wrote to memory of 1348 3204 DL NETIVE BOTNET LOGS.exe 96 PID 3204 wrote to memory of 1348 3204 DL NETIVE BOTNET LOGS.exe 96 PID 3204 wrote to memory of 1348 3204 DL NETIVE BOTNET LOGS.exe 96 PID 3204 wrote to memory of 1348 3204 DL NETIVE BOTNET LOGS.exe 96 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SUM PROFORMA 1232.PDF.exe"C:\Users\Admin\AppData\Local\Temp\SUM PROFORMA 1232.PDF.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\4_510\DL NETIVE BOTNET LOGS.exe"C:\Users\Admin\AppData\Local\Temp\4_510\DL NETIVE BOTNET LOGS.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- outlook_office_path
- outlook_win_path
PID:1348
-
-
-
C:\Users\Admin\AppData\Local\Temp\4_510\nndus.pif"C:\Users\Admin\AppData\Local\Temp\4_510\nndus.pif" svfbq.qii2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
419KB
MD5e889bda8e1d1663a1fd868e3509d3392
SHA1dc046a23a136ba500a20cd91fa6c89e4f66a7cc5
SHA256f283cb646b213e7309f1ca51cffbb5a9ad4711f342bbf39d2a2619cada568274
SHA512d3420343c31f63040e12555c8b8d980df3cc9caa89874b395d18665f1e554df5a6e8d353e58fcec0cdfd478ebe87b888d255c509f75edf2d7542615ec824c346
-
Filesize
60KB
MD51ad21ce3aca89e8d5a13051d897fdc76
SHA1aa0afe864a3aa0f12bebe04c0ee4b8cf63a6bf33
SHA256a8a61053769a450c5275d426a86a47d6dd1e02e6c7cb6da9ca31a9e4d0892b84
SHA5126d456d774fdf178624c23a460f40558650d8414eed7b7c3c9a9fee07a9ec3167bfbfd905ac5ef270cf301449e595533cde546d6be4edbd0ce8055d902bd64e0c
-
Filesize
820KB
MD50c996fa7285452f1302d8c781bd72972
SHA193b2a1bce155afec134804b3a2ef6b40ac0a4178
SHA256470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f
SHA512e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b