Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 00:17
Static task
static1
Behavioral task
behavioral1
Sample
db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe
Resource
win10v2004-20240226-en
General
-
Target
db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe
-
Size
1.0MB
-
MD5
a137ddf047bb1db826af4ccb3110db6d
-
SHA1
dd93f6c84d0b01d78d7eae68811e8f5edd512019
-
SHA256
db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d
-
SHA512
bc6a5259b8dbf751ad5024b35c556afff2db8b85f9f784f07b72dfc6099d5a6b9a28dd6802fb780c9764e68fc85c62abda45449a92f12a917ffb17a40223b475
-
SSDEEP
24576:dtb20pkaCqT5TBWgNQ7anf9xR7LkwR6A:OVg5tQ7anfBLj5
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.antoniomayol.com:21 - Port:
21 - Username:
[email protected] - Password:
cMhKDQUk1{;%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
resource yara_rule behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
resource yara_rule behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
resource yara_rule behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
resource yara_rule behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
resource yara_rule behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
resource yara_rule behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
resource yara_rule behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isochronal.vbs isochronal.exe -
Executes dropped EXE 1 IoCs
pid Process 2848 isochronal.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 38 ip-api.com -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023203-13.dat autoit_exe behavioral2/files/0x0007000000023203-14.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2848 set thread context of 3152 2848 isochronal.exe 98 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3152 RegSvcs.exe 3152 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2848 isochronal.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3152 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 3680 db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe 3680 db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe 2848 isochronal.exe 2848 isochronal.exe 2848 isochronal.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 3680 db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe 3680 db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe 2848 isochronal.exe 2848 isochronal.exe 2848 isochronal.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3680 wrote to memory of 2848 3680 db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe 95 PID 3680 wrote to memory of 2848 3680 db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe 95 PID 3680 wrote to memory of 2848 3680 db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe 95 PID 2848 wrote to memory of 3152 2848 isochronal.exe 98 PID 2848 wrote to memory of 3152 2848 isochronal.exe 98 PID 2848 wrote to memory of 3152 2848 isochronal.exe 98 PID 2848 wrote to memory of 3152 2848 isochronal.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe"C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\penstocks\isochronal.exe"C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.6MB
MD52ed70b7e40ee933d262bc26690f54599
SHA1be4dd023b98baca1da230bc7f1b73b87223ef05e
SHA2563be687d7a6d01719a6d7534e2165ffba855ebc61d50b04d32599a1ed3c71f90f
SHA5124140b80147b83b3dce19f9a4674c49ebacb627b1c7b39754e6639291bc089bb21c9a438edc912e48bef056135de74166d7d3729498004149fd390268d17b5f9c
-
Filesize
12.1MB
MD5825333cbd7495113174265170547de3a
SHA1ae6f72eb21f6c17ad81b8736a173ffe7ad2c8661
SHA2563052f8b9fb3a2d71e260d954fa8600fbcf769a0a8766f253dd55f37f9ba1fb15
SHA512094d982a2d6b686400d97813cff65096e5ca4af190c0c8d13626663fa019f1e0bfda81e3d9d18dacf1d53dfca9436537e7a30f5013f4c2f47b6b7a8d3738be36