Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2024, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
Resource
win10v2004-20231222-en
General
-
Target
27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
-
Size
728KB
-
MD5
cdf4d3afa2bee0bf7815ea21c357fcbd
-
SHA1
14bd588ba6460c3dc6351b54936f64f7261a7e4c
-
SHA256
27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a
-
SHA512
490b7c341d91f483aef5f24b82e872d88dd278d49bee19e7051aad9af460193ba3d27e11283784c32b0d970f645fe7e1a11492020ecdf07df41d2e890db95238
-
SSDEEP
12288:PAYAXukOaVQpmyydTlVQnmI5dj39r+ZNJ+CRW74FXHMNya0USBx+R:xLz9iim8jNrlGW7DyaWx+R
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp5ua.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1400 3008 WerFault.exe 118 -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 3880 PING.EXE 2984 PING.EXE 2244 PING.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2064 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 100 PID 2464 wrote to memory of 2064 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 100 PID 2464 wrote to memory of 2064 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 100 PID 2064 wrote to memory of 3880 2064 cmd.exe 99 PID 2064 wrote to memory of 3880 2064 cmd.exe 99 PID 2064 wrote to memory of 3880 2064 cmd.exe 99 PID 2464 wrote to memory of 1768 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 106 PID 2464 wrote to memory of 1768 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 106 PID 2464 wrote to memory of 1768 2464 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe 106 PID 1768 wrote to memory of 2984 1768 cmd.exe 105 PID 1768 wrote to memory of 2984 1768 cmd.exe 105 PID 1768 wrote to memory of 2984 1768 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe"C:\Users\Admin\AppData\Local\Temp\27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 25 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "explooorrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explooorrs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "explooorrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explooorrs.exe"3⤵PID:1384
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 27 > nul && copy "C:\Users\Admin\AppData\Local\Temp\27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe" "C:\Users\Admin\AppData\Roaming\explooorrs.exe" && ping 127.0.0.1 -n 27 > nul && "C:\Users\Admin\AppData\Roaming\explooorrs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 273⤵
- Runs ping.exe
PID:2244
-
-
C:\Users\Admin\AppData\Roaming\explooorrs.exe"C:\Users\Admin\AppData\Roaming\explooorrs.exe"3⤵PID:4580
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:5072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:3008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 13845⤵
- Program crash
PID:1400
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 251⤵
- Runs ping.exe
PID:3880
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 271⤵
- Runs ping.exe
PID:2984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3008 -ip 30081⤵PID:4788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD58ddafdf0f14517b39a6aaa3c6268345e
SHA145430ceb1f9a70a78f295610c265dba55207d461
SHA25639bd85c1554320a8a6ad139ecd57b9103c6745dc7c104aeb951307ae505a606f
SHA51284277b8b2ccf21e20bf342af064906e2ddc648cf043e812d61f027d5ee2ab9d26837da309bd82f1343da00caaa1bbfda7ba7b9160114a7f7dd11d30c0d92a608