Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
31/12/2023, 06:03
General
-
Target
2b134be5c3d9c940c710adcf5f5e6b84.exe
-
Size
1.1MB
-
MD5
2b134be5c3d9c940c710adcf5f5e6b84
-
SHA1
95342605ed928e172f42593093b75d1f5cc652f7
-
SHA256
64a6309eb963fb0fbc26d0d1d8a370f2e9f554174a58f2e5bd254ecba31771f3
-
SHA512
ab008cf3458337fa11fb244afe17c93ad9314922a6ea86f1e30a52db153adeeabebe5bef4d1ccc1a6b7d4cca9c450e7dc1bfedaecd233ef51b5dbe41ab495917
-
SSDEEP
12288:EnK8jEyoS03dyvUIZbVIVZrbcemx7Y9JA226xLPNGsa9B3td3MTDS89dyP3fHvXy:E3jEyoSUgvDBIjcei7Y9g6R1g3bm
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cwtgroup.co.za - Port:
587 - Username:
[email protected] - Password:
$$$333### - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b134be5c3d9c940c710adcf5f5e6b84.exe"C:\Users\Admin\AppData\Local\Temp\2b134be5c3d9c940c710adcf5f5e6b84.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PaZIIm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E19.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\2b134be5c3d9c940c710adcf5f5e6b84.exe"C:\Users\Admin\AppData\Local\Temp\2b134be5c3d9c940c710adcf5f5e6b84.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ccccd66bd22acdceb7523ae90a87e8b4
SHA18a3d82b2d552bf99e55e8d8e7a6760f3b5a315e6
SHA2563c8a64fe2a3e5691188a198f6e1e92d942fcebf3b77bb8e5c7443506df0dd284
SHA5126765da8be293794f7f35ff103246b9dd71ea8c76b6fef84b88bac2999c44c3b5e02c429574c90adbee4eaedc37071f1aefbdb9ef661132b1833219a81f5542ac
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
504KB
-
Filesize
248KB
-
Filesize
136KB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
1.1MB