Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1615274acd...68.exe

windows7-x64

10

1615274acd...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1615274acd75a7b13afe34886165cf97e6f15485b2186c75509fb47d7baa7468.exe

  • Size

    788KB

  • MD5

    d5c52173b2b47227742614bac91fa160

  • SHA1

    852e4c1a66790c2759f2753a5f3636e3c06fa267

  • SHA256

    1615274acd75a7b13afe34886165cf97e6f15485b2186c75509fb47d7baa7468

  • SHA512

    ef90dfb80f48a66e91419c60045dcdd0e9518b17a7db933514e98efab9f2eb984a7f6a12354d08cf667ee0610f53a31fce947c00faa830d3073f9e4a4c659968

  • SSDEEP

    12288:X+UTm7btljWklC4cZDHOohDaFC6j3AVmg0fNsdIrKdRtEQHM:X+RbtMkM4cZLhDaFCU3MsNvrK1EX

Score
10/10
agentteslaevasionexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7207061695:AAF0n2ptfpKko1R4L1IUb4eqtXbyEcJ2KUU/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1615274acd75a7b13afe34886165cf97e6f15485b2186c75509fb47d7baa7468.exe
    "C:\Users\Admin\AppData\Local\Temp\1615274acd75a7b13afe34886165cf97e6f15485b2186c75509fb47d7baa7468.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1615274acd75a7b13afe34886165cf97e6f15485b2186c75509fb47d7baa7468.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      2⤵
        PID:4908
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3916
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        2⤵
          PID:4684
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4584,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
        1⤵
          PID:864

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yc334yby.kgr.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/1188-6-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1188-22-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1188-4-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1188-5-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1188-16-0x000001AC492B0000-0x000001AC492D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1640-3-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1640-1-0x00000230B1920000-0x00000230B1958000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1640-2-0x00000230CBF00000-0x00000230CBF94000-memory.dmp

          Filesize

          592KB

          Download

        • memory/1640-0-0x00007FFCBBCD3000-0x00007FFCBBCD5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1640-23-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3916-17-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/3916-21-0x00000000055C0000-0x0000000005626000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3916-18-0x0000000005A70000-0x0000000006014000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3916-24-0x00000000069E0000-0x0000000006A30000-memory.dmp

          Filesize

          320KB

          Download