Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 12:23
Static task
static1
Behavioral task
behavioral1
Sample
New PO.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
New PO.exe
Resource
win10v2004-20240709-en
General
-
Target
New PO.exe
-
Size
902KB
-
MD5
c620cb4980a6984166e7f8a02d620a93
-
SHA1
b007fa2db34b8d6442058bbbc2ce323947fa412f
-
SHA256
fca02c1e43831d819e18a62b8437ce43942eca3110c68a09be88a600fba74fce
-
SHA512
17e8961579596ccf30acd2df40521c0c9fee3cc5bcd3e4815133b1ca9c09f1904713a8312cada6142a5e97db142fd6244d5ded1d6d9f2c61eec449e7162aeabc
-
SSDEEP
24576:ZL2RGgFQVCfI1alPmqT8J/7tN4l/G2dn26:ZL5g0Cfe3fJZMVnN
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.softg.com.ng/ - Port:
21 - Username:
[email protected] - Password:
logs184035721
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral2/memory/4836-17-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation New PO.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1968 set thread context of 4836 1968 New PO.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4532 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1968 New PO.exe 4836 New PO.exe 4836 New PO.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1968 New PO.exe Token: SeDebugPrivilege 4836 New PO.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1968 wrote to memory of 4532 1968 New PO.exe 98 PID 1968 wrote to memory of 4532 1968 New PO.exe 98 PID 1968 wrote to memory of 4532 1968 New PO.exe 98 PID 1968 wrote to memory of 4836 1968 New PO.exe 101 PID 1968 wrote to memory of 4836 1968 New PO.exe 101 PID 1968 wrote to memory of 4836 1968 New PO.exe 101 PID 1968 wrote to memory of 4836 1968 New PO.exe 101 PID 1968 wrote to memory of 4836 1968 New PO.exe 101 PID 1968 wrote to memory of 4836 1968 New PO.exe 101 PID 1968 wrote to memory of 4836 1968 New PO.exe 101 PID 1968 wrote to memory of 4836 1968 New PO.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\New PO.exe"C:\Users\Admin\AppData\Local\Temp\New PO.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZrrzljkKWRXR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8BA1.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4532
-
-
C:\Users\Admin\AppData\Local\Temp\New PO.exe"C:\Users\Admin\AppData\Local\Temp\New PO.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c07ac53c0bd283d94002b7a9de743614
SHA1abe340e1c379222b90dc3af969758b04823261e5
SHA2569d2b97b43cd63c136a5b4c710d20d5ad3adc413d3b8e756da25c35d126de358a
SHA512dde9c1636247d8a73cb7c6adce48db9cff4a5bd3ebe9c2e30fc78ee91f716c40017ec09301073c08ebf753b592008433e0a33e254a8bc07d19ef84f88a1ce816