Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    07/02/2025, 01:22

General

  • Target

    Dekont.pdf.exe

  • Size

    1.6MB

  • MD5

    89ca21034328458a20418d85211e2a32

  • SHA1

    7eff6c36a2104231dab0c665b4cfe23479df6c92

  • SHA256

    b5ca8fbe69f6cc1ce98e1a5b51daadb7749786efae91a320e2148cd0da30f42f

  • SHA512

    afde5b1e081c10fc00cbec24e4b94ee3b616f637b50f1d1480fef9ac97bec1ed3356a971d3c8f32f479b3cef2912b6aa5b85be1d6c92e20b7542ccd7ebb71aa3

  • SSDEEP

    49152:+pCG8Aq/oZ4FDMopTWfqEUU2Zklsi9LPTF:+phnqMopafSulswLB

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • BluStealer

    A Modular information stealer written in Visual Basic.

  • Blustealer family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe
      "C:\Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe" Saint-Étienne-du-Mont is a church located on the Montagne Sainte-Geneviève
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        PID:2308
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\2_97\honhlhenc.vbe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Users\Admin\AppData\Roaming\2_97\wwdktp.exe
        "C:\Users\Admin\AppData\Roaming\2_97\wwdktp.exe" pfxrudu.csx
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2_97\bsbrhqxpgh.xml

    Filesize

    61KB

    MD5

    b57c37a2c59a2551ae13d6fd371b52cd

    SHA1

    f9826276ba9babe31e0b7da7d536eb48cac92fef

    SHA256

    c04c01d87496f375c10e6dd2bb56078a4ead5c8e859db9e3556e70831c368b48

    SHA512

    e97d6c33edc7cda4b59e8837f24b7117211730e305c0069b1a92904e2cd9a6f5125815f7bea3242deef67a1a6e2d519166e4301431746a960c8d83d104ec50bc

  • C:\Users\Admin\AppData\Roaming\2_97\deengndh.pbi

    Filesize

    419KB

    MD5

    0fe976b7e971a0f2d37ab91f110bf80b

    SHA1

    19bd18338a8254bfefbc684e618908ada7558810

    SHA256

    4214c2a50fb58accdab07c73ca3f60bc3da9167f3d350f04be274410f8cde27f

    SHA512

    710bfa5079b6109612e869ac2f72708ddd15467a9b190ef0554888fffc9c41c0fc7d7099584d49d1c7e1f298409d4da7a797a14f635d9891ed62f7ff0f49b001

  • C:\Users\Admin\AppData\Roaming\2_97\honhlhenc.vbe

    Filesize

    22KB

    MD5

    af6eceb44fc6c4edcb616cf5f3057496

    SHA1

    befd9bf9fee1b9dfcf5431b490f40523e0e41748

    SHA256

    d14064ae7096b0db9041e75b5b59badf6535f461f08a64d77c3429e0b8242725

    SHA512

    2b5dd6f2a7d41ef71f58a0bd027875087ddb5a2651fc2e961f1666caf722d0501619661cef0f9e5405b69f301a921ec14ecfba9d9b30f4159ff6c89807c4211f

  • \Users\Admin\AppData\Local\Temp\RegSvcs.exe

    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • \Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe

    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

  • \Users\Admin\AppData\Roaming\2_97\wwdktp.exe

    Filesize

    999KB

    MD5

    1dbba7abb9198c4247cbfb258fe5233d

    SHA1

    cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

    SHA256

    6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

    SHA512

    503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

  • memory/1976-195-0x0000000000250000-0x000000000091C000-memory.dmp

    Filesize

    6.8MB

  • memory/1976-197-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1976-201-0x0000000000250000-0x000000000091C000-memory.dmp

    Filesize

    6.8MB

  • memory/1976-198-0x0000000000250000-0x000000000091C000-memory.dmp

    Filesize

    6.8MB

  • memory/1976-200-0x0000000000250000-0x000000000091C000-memory.dmp

    Filesize

    6.8MB

  • memory/1976-203-0x0000000000250000-0x000000000028A000-memory.dmp

    Filesize

    232KB

  • memory/2308-183-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/2308-180-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/2308-189-0x0000000000E30000-0x0000000000EEC000-memory.dmp

    Filesize

    752KB

  • memory/2308-182-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/2308-181-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/2308-178-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB