Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10/07/2020, 07:16
Static task
static1
Behavioral task
behavioral1
Sample
Emergency Situation Surcharge Update.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Emergency Situation Surcharge Update.exe
Resource
win10
General
-
Target
Emergency Situation Surcharge Update.exe
-
Size
451KB
-
MD5
4d7528ff3e3e634db83bdc55c56ac62a
-
SHA1
b63bd466732bdf5b9e43a20a7442b7547a4444bf
-
SHA256
3f258d6b65fd6594bc19ac4f3825112f78043a3c112f7bf56dd40bec84750a1e
-
SHA512
2297087cb141f830f7f45d5e8f0d6f363396096d655d12984a93d5b1068622e326bc9379b4e6c40f589e39a8b46a2b082ffc3126e8806edc406708d6c7d41ad4
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
General101
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/1688-4-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1688-5-0x000000000044C44E-mapping.dmp family_agenttesla behavioral1/memory/1688-6-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1688-7-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1388 set thread context of 1688 1388 Emergency Situation Surcharge Update.exe 26 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1388 Emergency Situation Surcharge Update.exe 1688 RegSvcs.exe 1688 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1388 Emergency Situation Surcharge Update.exe Token: SeDebugPrivilege 1688 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1388 wrote to memory of 1044 1388 Emergency Situation Surcharge Update.exe 24 PID 1388 wrote to memory of 1044 1388 Emergency Situation Surcharge Update.exe 24 PID 1388 wrote to memory of 1044 1388 Emergency Situation Surcharge Update.exe 24 PID 1388 wrote to memory of 1044 1388 Emergency Situation Surcharge Update.exe 24 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe 26 PID 1688 wrote to memory of 524 1688 RegSvcs.exe 30 PID 1688 wrote to memory of 524 1688 RegSvcs.exe 30 PID 1688 wrote to memory of 524 1688 RegSvcs.exe 30 PID 1688 wrote to memory of 524 1688 RegSvcs.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Emergency Situation Surcharge Update.exe"C:\Users\Admin\AppData\Local\Temp\Emergency Situation Surcharge Update.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dbYVwF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE59D.tmp"2⤵
- Creates scheduled task(s)
PID:1044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:524
-
-