Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 06:03
Static task
static1
Behavioral task
behavioral1
Sample
2b134be5c3d9c940c710adcf5f5e6b84.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2b134be5c3d9c940c710adcf5f5e6b84.exe
Resource
win10v2004-20231215-en
General
-
Target
2b134be5c3d9c940c710adcf5f5e6b84.exe
-
Size
1.1MB
-
MD5
2b134be5c3d9c940c710adcf5f5e6b84
-
SHA1
95342605ed928e172f42593093b75d1f5cc652f7
-
SHA256
64a6309eb963fb0fbc26d0d1d8a370f2e9f554174a58f2e5bd254ecba31771f3
-
SHA512
ab008cf3458337fa11fb244afe17c93ad9314922a6ea86f1e30a52db153adeeabebe5bef4d1ccc1a6b7d4cca9c450e7dc1bfedaecd233ef51b5dbe41ab495917
-
SSDEEP
12288:EnK8jEyoS03dyvUIZbVIVZrbcemx7Y9JA226xLPNGsa9B3td3MTDS89dyP3fHvXy:E3jEyoSUgvDBIjcei7Y9g6R1g3bm
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cwtgroup.co.za - Port:
587 - Username:
[email protected] - Password:
$$$333### - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral2/memory/3420-18-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 2b134be5c3d9c940c710adcf5f5e6b84.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5004 set thread context of 3420 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3196 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3420 2b134be5c3d9c940c710adcf5f5e6b84.exe 3420 2b134be5c3d9c940c710adcf5f5e6b84.exe 3420 2b134be5c3d9c940c710adcf5f5e6b84.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3420 2b134be5c3d9c940c710adcf5f5e6b84.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 5004 wrote to memory of 3196 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 104 PID 5004 wrote to memory of 3196 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 104 PID 5004 wrote to memory of 3196 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 104 PID 5004 wrote to memory of 3420 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 106 PID 5004 wrote to memory of 3420 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 106 PID 5004 wrote to memory of 3420 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 106 PID 5004 wrote to memory of 3420 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 106 PID 5004 wrote to memory of 3420 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 106 PID 5004 wrote to memory of 3420 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 106 PID 5004 wrote to memory of 3420 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 106 PID 5004 wrote to memory of 3420 5004 2b134be5c3d9c940c710adcf5f5e6b84.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b134be5c3d9c940c710adcf5f5e6b84.exe"C:\Users\Admin\AppData\Local\Temp\2b134be5c3d9c940c710adcf5f5e6b84.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PaZIIm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E19.tmp"2⤵
- Creates scheduled task(s)
PID:3196
-
-
C:\Users\Admin\AppData\Local\Temp\2b134be5c3d9c940c710adcf5f5e6b84.exe"C:\Users\Admin\AppData\Local\Temp\2b134be5c3d9c940c710adcf5f5e6b84.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ccccd66bd22acdceb7523ae90a87e8b4
SHA18a3d82b2d552bf99e55e8d8e7a6760f3b5a315e6
SHA2563c8a64fe2a3e5691188a198f6e1e92d942fcebf3b77bb8e5c7443506df0dd284
SHA5126765da8be293794f7f35ff103246b9dd71ea8c76b6fef84b88bac2999c44c3b5e02c429574c90adbee4eaedc37071f1aefbdb9ef661132b1833219a81f5542ac