Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 01:45
Static task
static1
Behavioral task
behavioral1
Sample
93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
General
-
Target
93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
-
Size
821KB
-
MD5
c7ae7bfda7f71b76c6f3213cfe94529e
-
SHA1
eebcb778056a8fa9a33255141d70ffac41523caf
-
SHA256
93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4
-
SHA512
70326a8b9f6c7d99f82e32f0116b23e2b879bbea3235b03e7510a080ffbbeabc2620b09be4406a2a2b28b62c0679a3ee56e39b7398991693c80da0d84fe43fd2
-
SSDEEP
12288:8bBFvUojlMVWIhWL7Uc8Eh8xn8mWpXS0iNrmY:8bPvUohIWIhko9xnVWpCH
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6994888350:AAFqI19L4KkGo55n9P5XziXuBSULg-rdpEc/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
resource yara_rule behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
resource yara_rule behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
resource yara_rule behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
resource yara_rule behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
resource yara_rule behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
resource yara_rule behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Loads dropped DLL 2 IoCs
pid Process 3080 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe 3080 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 api.ipify.org 36 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1056 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3080 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe 1056 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3080 set thread context of 1056 3080 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe 92 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1056 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe 1056 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3080 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1056 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3080 wrote to memory of 1056 3080 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe 92 PID 3080 wrote to memory of 1056 3080 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe 92 PID 3080 wrote to memory of 1056 3080 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe 92 PID 3080 wrote to memory of 1056 3080 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe 92 PID 3080 wrote to memory of 1056 3080 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe"C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe"C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD516d513397f3c1f8334e8f3e4fc49828f
SHA14ee15afca81ca6a13af4e38240099b730d6931f0
SHA256d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA5124a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3
-
Filesize
8B
MD5c3cb69218b85c3260387fb582cb518dd
SHA1961c892ded09a4cbb5392097bb845ccba65902ad
SHA2561c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA5122402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422
-
Filesize
20B
MD59111ba1d1ceb4b7f775d74730aac363e
SHA1c0af4968c775735be12419b60b257ed4359cb9b2
SHA2560883f5bab7d5dafd9efec59b917070f5d051f50b047951d1ea87dab27fef7b91
SHA512836c5d3941109691f2589e317e10d661978d9fc4af435bde3467159913ff9192d6eab1efe3e50e2048d06ce0c85963efe1ac056e1fd6ff1d33ac05f25beabbbf
-
Filesize
64B
MD5814da453daa6269ca4ed4cd15266b28c
SHA182981f8c0d5d3ffccbf06fff867f8c3b1aaa454b
SHA256791004efaa6a41452708fe5db95097b4681e4f4d386e33b8044088b8f736d743
SHA5123336dbdf67c28567e9cd6a495e2e7d7e7fca21fccdff35b7c84588237829c32f69be5f733cbc3e3bf1614868a3e9e6000c5ff3116b4cc035723c37ca743cb948
-
Filesize
52B
MD55d04a35d3950677049c7a0cf17e37125
SHA1cafdd49a953864f83d387774b39b2657a253470f
SHA256a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
51B
MD52dd936eb3d7589ea1ff02761eb026412
SHA1059f5db3de09440576f5a4331af7b2ef6c6fc468
SHA256851257ed1df0d3e567cdaefdf63361c1a26e9ebd20b39024e926e94f68181f7e
SHA512f420b11f4277546d52ddc81c29498052286959dfb033f9f31e3c8d98893ab09778accef2866422d7c8024d4b66e1369adf14bd91544a6fd2376e311e085b2caa
-
Filesize
60B
MD52d45b071bce5847e12b6308c981e1ab7
SHA15bc8e983895acd8ed0d5bb4fc48355cf5871ed2c
SHA2563e9039677f7626a652276f60ecb67b20cd004050af6d7cec32d237591254cb81
SHA512e838c8c079a8ca453eaa5509df7fe8340329afbf6e6205938ebcac23a98514b7465e8ab7cc9e1be1af10423ab87c8f1797013b58dffcc3d29a35a792d8f05ebc
-
Filesize
56B
MD5c599d20101d8532a39fefbec3a4162a9
SHA16215d1abf9002230448221e1ebdcb2916df29cb3
SHA256db2d57c0d52d8989de271b0b5440e043c7c93b4f58092de80a1c1e569f5327b2
SHA512df32094a64597c11d96b2844ea097c960cf39901508dcdf9d0892e2879706d2b6a178d1f798a1ba22613091c79b11ba468b21ad04f7856c8be3cfd517330df93
-
Filesize
27B
MD54957153fabb445fb18c9ebc9c311f34d
SHA1d12d7a2c8a4b61bae681b19b9a07a06a0d0d4632
SHA256fbaa92d310219f370662dbcb3d8023c007b4786d0bf979228690d4df2cf89c91
SHA5124c0ee80abbe5748e3b794982585dc819c57f59429ef47ab628a801d05752daea92e7ef97088556b5411a49e8724157ee748a0e40c3efc0962927783fc1a44cd9
-
Filesize
30B
MD5f15bfdebb2df02d02c8491bde1b4e9bd
SHA193bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA5121757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1