Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13/10/2023, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v2004-20230915-en
General
-
Target
SOA.exe
-
Size
810KB
-
MD5
e1666e6dc5b74fede5b52d19b6ed5eb3
-
SHA1
4629695826687cf1aaedbd0de805ee672ca28b78
-
SHA256
a4ed69b3f398c38bef69c796dd57f40b6d110fce97d84802b9a2e6b77d07c93f
-
SHA512
32f34f4c373397eacb0f413d3c8121aa54cdaacde1c73adbd780d0d5cc3ed6c63c03a9639ccea98c5348010e08f11bbf8fe1f434f95663b6abccdc793a9899b8
-
SSDEEP
12288:X2cxVYgO6MavWMO6MavWmn+Au5SjIoya5EyCdoPIeSq8057HuJ5dx:X2cHO6MavWMO6MavWOlOvF6LR5zY5dx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.wecaresvc.com - Port:
587 - Username:
[email protected] - Password:
u9367gk8qc - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1804 set thread context of 2620 1804 SOA.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2748 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1804 SOA.exe 2620 SOA.exe 2620 SOA.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1804 SOA.exe Token: SeDebugPrivilege 2620 SOA.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2748 1804 SOA.exe 30 PID 1804 wrote to memory of 2748 1804 SOA.exe 30 PID 1804 wrote to memory of 2748 1804 SOA.exe 30 PID 1804 wrote to memory of 2748 1804 SOA.exe 30 PID 1804 wrote to memory of 2620 1804 SOA.exe 32 PID 1804 wrote to memory of 2620 1804 SOA.exe 32 PID 1804 wrote to memory of 2620 1804 SOA.exe 32 PID 1804 wrote to memory of 2620 1804 SOA.exe 32 PID 1804 wrote to memory of 2620 1804 SOA.exe 32 PID 1804 wrote to memory of 2620 1804 SOA.exe 32 PID 1804 wrote to memory of 2620 1804 SOA.exe 32 PID 1804 wrote to memory of 2620 1804 SOA.exe 32 PID 1804 wrote to memory of 2620 1804 SOA.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNVYvSgi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp"2⤵
- Creates scheduled task(s)
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD560f8025cd59e75af915f4299f3bd328f
SHA1646fa863d8aaf0dda14fff442f0348f7221d0db5
SHA256d935d31d031c63e40843ce6076cca9d050ba97709c28dcd537f1fbd4c7486430
SHA5124badb6c56a5d589f9333c6007cb9d200fabcd86eabd4ae2d8cef881459bca886ffbb2367d638ad0a19a9c451f099b2b08cad3202e56e5d4ef67c057882edd0f0