Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
77s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09/07/2020, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
remittance advice 7.9.20.exe
Resource
win7
0 signatures
0 seconds
General
-
Target
remittance advice 7.9.20.exe
-
Size
889KB
-
MD5
aa54e572432813a7d322e244339aa7b6
-
SHA1
dc66aef6d10872755dc4398c2915a5ec97054e17
-
SHA256
cc71aaff5556a4053df2846a191ff63e54b3b10df75b98a3d8d5edc4c02c7d1b
-
SHA512
52dbe880edb8cb74c3faef8a235d6e80947bd3ead4e3923a6577c39a467312a02ff99da95a6dafdf16d13e14b850ec1582ab9fe026658acba536f7b3e25280ab
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 7 IoCs
resource yara_rule behavioral2/memory/1876-1-0x00000000005621E0-mapping.dmp family_agenttesla behavioral2/memory/1876-3-0x0000000000400000-0x0000000000564000-memory.dmp family_agenttesla behavioral2/memory/1876-4-0x0000000002360000-0x000000000240C000-memory.dmp family_agenttesla behavioral2/memory/1876-7-0x00000000005621E0-mapping.dmp family_agenttesla behavioral2/memory/1876-8-0x00000000005621E0-mapping.dmp family_agenttesla behavioral2/memory/1876-9-0x00000000005621E0-mapping.dmp family_agenttesla behavioral2/memory/1876-10-0x00000000005621E0-mapping.dmp family_agenttesla -
resource yara_rule behavioral2/memory/1876-0-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral2/memory/1876-2-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral2/memory/1876-3-0x0000000000400000-0x0000000000564000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1740 set thread context of 1876 1740 remittance advice 7.9.20.exe 68 -
Program crash 1 IoCs
pid pid_target Process procid_target 2196 1876 WerFault.exe 68 -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1740 remittance advice 7.9.20.exe 1740 remittance advice 7.9.20.exe 1876 remittance advice 7.9.20.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1740 remittance advice 7.9.20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1876 remittance advice 7.9.20.exe Token: SeRestorePrivilege 2196 WerFault.exe Token: SeBackupPrivilege 2196 WerFault.exe Token: SeDebugPrivilege 2196 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1876 1740 remittance advice 7.9.20.exe 68 PID 1740 wrote to memory of 1876 1740 remittance advice 7.9.20.exe 68 PID 1740 wrote to memory of 1876 1740 remittance advice 7.9.20.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\remittance advice 7.9.20.exe"C:\Users\Admin\AppData\Local\Temp\remittance advice 7.9.20.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\remittance advice 7.9.20.exe"C:\Users\Admin\AppData\Local\Temp\remittance advice 7.9.20.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 10203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-