Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
07/01/2024, 19:35
General
-
Target
a2ed4963dfd45090c2112b7ba2422f86.exe
-
Size
453KB
-
MD5
a2ed4963dfd45090c2112b7ba2422f86
-
SHA1
2bcef9993ffb483d5b7a8d482c00d33c71a28a02
-
SHA256
bcdf684939411112be33475b5422edf1f6b8219b0f1b786e1ad222d2ebbca6c1
-
SHA512
57891e845c2dcaf071ef6e5bae4a6cbb93789f563d84481d1447d4c36aa9f4f13f9d32d743672d8dcd293c1129c2f14e23804f7a19aaa8e0a3e9378e04b4d911
-
SSDEEP
6144:2Eul21llAVOCt6ZJJbrr8pMnGdBI+cHGBJqaavKrfO2zPmuliN63z3BlO:WEiCtIKGdBIjqJWKqpugN63H
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mohhg.com - Port:
587 - Username:
[email protected] - Password:
r:1{cNw4}vJc
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2ed4963dfd45090c2112b7ba2422f86.exe"C:\Users\Admin\AppData\Local\Temp\a2ed4963dfd45090c2112b7ba2422f86.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tQsJxm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97E1.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\a2ed4963dfd45090c2112b7ba2422f86.exe"{path}"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\a2ed4963dfd45090c2112b7ba2422f86.exe"{path}"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\a2ed4963dfd45090c2112b7ba2422f86.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
Filesize
1KB
MD573488617e7e0d6f81b6ffd7e974d5dc0
SHA1987776f6169cd0248dd1bf7eb69bde326bf80d5a
SHA256cf1cf5597a51304d7bb636316587f1218143d764a4ffcd2c8002c6ba014c1e7e
SHA512c7aedf807b6d83b74762db0b6d3ebf68bbefe44d1ee2c51bf8f5b9a25593156686fb7a6878777be961d69bb66aaea694693d6e406f082750694a6c302b588000
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
240KB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB