Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
07/02/2025, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
Dekont.pdf.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Dekont.pdf.exe
Resource
win10v2004-20250129-en
General
-
Target
Dekont.pdf.exe
-
Size
1.6MB
-
MD5
89ca21034328458a20418d85211e2a32
-
SHA1
7eff6c36a2104231dab0c665b4cfe23479df6c92
-
SHA256
b5ca8fbe69f6cc1ce98e1a5b51daadb7749786efae91a320e2148cd0da30f42f
-
SHA512
afde5b1e081c10fc00cbec24e4b94ee3b616f637b50f1d1480fef9ac97bec1ed3356a971d3c8f32f479b3cef2912b6aa5b85be1d6c92e20b7542ccd7ebb71aa3
-
SSDEEP
49152:+pCG8Aq/oZ4FDMopTWfqEUU2Zklsi9LPTF:+phnqMopafSulswLB
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579
Extracted
agenttesla
https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Blustealer family
-
Executes dropped EXE 3 IoCs
pid Process 2752 DL NETIVE BOTNET LOGS.exe 2140 wwdktp.exe 1976 RegSvcs.exe -
Loads dropped DLL 7 IoCs
pid Process 2360 Dekont.pdf.exe 2360 Dekont.pdf.exe 2360 Dekont.pdf.exe 2360 Dekont.pdf.exe 2360 Dekont.pdf.exe 2980 WScript.exe 2140 wwdktp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\2_97\\wwdktp.exe C:\\Users\\Admin\\AppData\\Roaming\\2_97\\pfxrudu.csx" wwdktp.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2752 set thread context of 2308 2752 DL NETIVE BOTNET LOGS.exe 34 PID 2140 set thread context of 1976 2140 wwdktp.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekont.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DL NETIVE BOTNET LOGS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwdktp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1976 RegSvcs.exe 1976 RegSvcs.exe 1976 RegSvcs.exe 1976 RegSvcs.exe 1976 RegSvcs.exe 1976 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1976 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2752 DL NETIVE BOTNET LOGS.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2752 2360 Dekont.pdf.exe 31 PID 2360 wrote to memory of 2752 2360 Dekont.pdf.exe 31 PID 2360 wrote to memory of 2752 2360 Dekont.pdf.exe 31 PID 2360 wrote to memory of 2752 2360 Dekont.pdf.exe 31 PID 2360 wrote to memory of 2980 2360 Dekont.pdf.exe 32 PID 2360 wrote to memory of 2980 2360 Dekont.pdf.exe 32 PID 2360 wrote to memory of 2980 2360 Dekont.pdf.exe 32 PID 2360 wrote to memory of 2980 2360 Dekont.pdf.exe 32 PID 2980 wrote to memory of 2140 2980 WScript.exe 33 PID 2980 wrote to memory of 2140 2980 WScript.exe 33 PID 2980 wrote to memory of 2140 2980 WScript.exe 33 PID 2980 wrote to memory of 2140 2980 WScript.exe 33 PID 2980 wrote to memory of 2140 2980 WScript.exe 33 PID 2980 wrote to memory of 2140 2980 WScript.exe 33 PID 2980 wrote to memory of 2140 2980 WScript.exe 33 PID 2752 wrote to memory of 2308 2752 DL NETIVE BOTNET LOGS.exe 34 PID 2752 wrote to memory of 2308 2752 DL NETIVE BOTNET LOGS.exe 34 PID 2752 wrote to memory of 2308 2752 DL NETIVE BOTNET LOGS.exe 34 PID 2752 wrote to memory of 2308 2752 DL NETIVE BOTNET LOGS.exe 34 PID 2752 wrote to memory of 2308 2752 DL NETIVE BOTNET LOGS.exe 34 PID 2752 wrote to memory of 2308 2752 DL NETIVE BOTNET LOGS.exe 34 PID 2752 wrote to memory of 2308 2752 DL NETIVE BOTNET LOGS.exe 34 PID 2752 wrote to memory of 2308 2752 DL NETIVE BOTNET LOGS.exe 34 PID 2752 wrote to memory of 2308 2752 DL NETIVE BOTNET LOGS.exe 34 PID 2140 wrote to memory of 1976 2140 wwdktp.exe 35 PID 2140 wrote to memory of 1976 2140 wwdktp.exe 35 PID 2140 wrote to memory of 1976 2140 wwdktp.exe 35 PID 2140 wrote to memory of 1976 2140 wwdktp.exe 35 PID 2140 wrote to memory of 1976 2140 wwdktp.exe 35 PID 2140 wrote to memory of 1976 2140 wwdktp.exe 35 PID 2140 wrote to memory of 1976 2140 wwdktp.exe 35 PID 2140 wrote to memory of 1976 2140 wwdktp.exe 35 PID 2140 wrote to memory of 1976 2140 wwdktp.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe"C:\Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe" Saint-Étienne-du-Mont is a church located on the Montagne Sainte-Geneviève2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
PID:2308
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\2_97\honhlhenc.vbe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\2_97\wwdktp.exe"C:\Users\Admin\AppData\Roaming\2_97\wwdktp.exe" pfxrudu.csx3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1976
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5b57c37a2c59a2551ae13d6fd371b52cd
SHA1f9826276ba9babe31e0b7da7d536eb48cac92fef
SHA256c04c01d87496f375c10e6dd2bb56078a4ead5c8e859db9e3556e70831c368b48
SHA512e97d6c33edc7cda4b59e8837f24b7117211730e305c0069b1a92904e2cd9a6f5125815f7bea3242deef67a1a6e2d519166e4301431746a960c8d83d104ec50bc
-
Filesize
419KB
MD50fe976b7e971a0f2d37ab91f110bf80b
SHA119bd18338a8254bfefbc684e618908ada7558810
SHA2564214c2a50fb58accdab07c73ca3f60bc3da9167f3d350f04be274410f8cde27f
SHA512710bfa5079b6109612e869ac2f72708ddd15467a9b190ef0554888fffc9c41c0fc7d7099584d49d1c7e1f298409d4da7a797a14f635d9891ed62f7ff0f49b001
-
Filesize
22KB
MD5af6eceb44fc6c4edcb616cf5f3057496
SHA1befd9bf9fee1b9dfcf5431b490f40523e0e41748
SHA256d14064ae7096b0db9041e75b5b59badf6535f461f08a64d77c3429e0b8242725
SHA5122b5dd6f2a7d41ef71f58a0bd027875087ddb5a2651fc2e961f1666caf722d0501619661cef0f9e5405b69f301a921ec14ecfba9d9b30f4159ff6c89807c4211f
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
440KB
MD561f35c53811bb66d62effc5a53de458f
SHA1e4507c6a3d5c3d01f19c487366044febb126ca70
SHA256833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1
SHA5125148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384
-
Filesize
999KB
MD51dbba7abb9198c4247cbfb258fe5233d
SHA1cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be
SHA2566a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88
SHA512503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98