Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2024, 00:17

General

  • Target

    db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe

  • Size

    1.0MB

  • MD5

    a137ddf047bb1db826af4ccb3110db6d

  • SHA1

    dd93f6c84d0b01d78d7eae68811e8f5edd512019

  • SHA256

    db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d

  • SHA512

    bc6a5259b8dbf751ad5024b35c556afff2db8b85f9f784f07b72dfc6099d5a6b9a28dd6802fb780c9764e68fc85c62abda45449a92f12a917ffb17a40223b475

  • SSDEEP

    24576:dtb20pkaCqT5TBWgNQ7anf9xR7LkwR6A:OVg5tQ7anfBLj5

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe
    "C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Users\Admin\AppData\Local\penstocks\isochronal.exe
      "C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\penstocks\isochronal.exe

    Filesize

    10.6MB

    MD5

    2ed70b7e40ee933d262bc26690f54599

    SHA1

    be4dd023b98baca1da230bc7f1b73b87223ef05e

    SHA256

    3be687d7a6d01719a6d7534e2165ffba855ebc61d50b04d32599a1ed3c71f90f

    SHA512

    4140b80147b83b3dce19f9a4674c49ebacb627b1c7b39754e6639291bc089bb21c9a438edc912e48bef056135de74166d7d3729498004149fd390268d17b5f9c

  • C:\Users\Admin\AppData\Local\penstocks\isochronal.exe

    Filesize

    12.1MB

    MD5

    825333cbd7495113174265170547de3a

    SHA1

    ae6f72eb21f6c17ad81b8736a173ffe7ad2c8661

    SHA256

    3052f8b9fb3a2d71e260d954fa8600fbcf769a0a8766f253dd55f37f9ba1fb15

    SHA512

    094d982a2d6b686400d97813cff65096e5ca4af190c0c8d13626663fa019f1e0bfda81e3d9d18dacf1d53dfca9436537e7a30f5013f4c2f47b6b7a8d3738be36

  • memory/3152-30-0x0000000005BD0000-0x0000000006174000-memory.dmp

    Filesize

    5.6MB

  • memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/3152-29-0x00000000746E0000-0x0000000074E90000-memory.dmp

    Filesize

    7.7MB

  • memory/3152-31-0x0000000005840000-0x0000000005850000-memory.dmp

    Filesize

    64KB

  • memory/3152-32-0x0000000005850000-0x00000000058B6000-memory.dmp

    Filesize

    408KB

  • memory/3152-33-0x0000000006B00000-0x0000000006B50000-memory.dmp

    Filesize

    320KB

  • memory/3152-34-0x0000000006BF0000-0x0000000006C82000-memory.dmp

    Filesize

    584KB

  • memory/3152-35-0x0000000006B80000-0x0000000006B8A000-memory.dmp

    Filesize

    40KB

  • memory/3152-36-0x00000000746E0000-0x0000000074E90000-memory.dmp

    Filesize

    7.7MB

  • memory/3152-37-0x0000000005840000-0x0000000005850000-memory.dmp

    Filesize

    64KB

  • memory/3680-10-0x00000000034C0000-0x00000000034C4000-memory.dmp

    Filesize

    16KB