Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
22/09/2024, 09:23
240922-lcmh6ssclm 921/09/2024, 08:10
240921-j2tbxasfjj 921/09/2024, 07:38
240921-jggsda1gjl 928/07/2024, 17:11
240728-vp9c5syajh 1018/06/2024, 14:08
240618-rfnhjaxanf 10Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-de -
resource tags
-
submitted
28/07/2024, 17:11
General
-
Target
WZAgent.exe
-
Size
26.2MB
-
MD5
4cf978f2749291d8d9a722cf8bd9d9ea
-
SHA1
2580a9be8bc6994987cc4951a4690efd7077ea92
-
SHA256
ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c
-
SHA512
d1ba2ea6a06cf5241bd26319b7bd2da7cb3ca0453496703fa66413cc56edf9893414a970dfb67451cfb85ef735305986958ba852287b3dc63b7cf28ab351d61d
-
SSDEEP
786432:Ov1EWULlsocwpd3XHEquH6rdEePFG/7vG43EY6:Ov1EWusor8j6r714
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 6 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Themida packer 18 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe"C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe" --input C:\Users\Admin\AppData\Local\Temp\WZAgent.zip --output C:\Users\Admin\AppData\Local\Temp --current-exe C:\Users\Admin\AppData\Local\Temp\WZAgent.exe --updated-exe WZAgent.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c8f9bb079b95f0f981f33f1ac3058078
SHA151c811e8e50c47fac5710f3282eed71614069b3b
SHA2569128311603d540106ceede1f308e42360a43e6021fec575d2d5505365007b2fa
SHA512c2b2c425812a6c3fe5886198e1d757a0ff706937847035f7ba99707946122f39717ea0eae3c41642632ca9d1ca2901ab5a04b7db26aa35a5d769a1f1e91669dc
-
Filesize
4.0MB
MD58e839b26c5efed6f41d6e854e5e97f5b
SHA15cb71374f72bf6a63ff65a6cda57ff66c3e54836
SHA2561f2489fcd11f85db723f977f068988e81ed28581a4aec352ba4a2dc31419a011
SHA51292446d7c2ccf41408d0a6be604b9aba3050192b40be887c2cee8f9aea0bd855503d6b827a8bdd554addd8d7c8ec947033f49060db493f756c3b2b70c04a17093
-
Filesize
28.1MB
MD59a5a67984bec57723b1e013f38eaa258
SHA1aa0868e6cd489e27b57c9bae31bc9c99b270bad1
SHA25681a363f651c2ce2a54c62c637acebf3b23c163854cf1a28b3c3494a649d14a7d
SHA512ce702691d2be9db0961967d67ee69db99992967730bea696f620d4124267eea41b0a7e8314b182a2646da76c4177140bba332ae5334d69f7a688bd29d0a79154
-
Filesize
27.9MB
MD5e7c00475b006290804ec00a478859f2f
SHA1259809bb20937d7226b766e7d42a3a6ede588d0b
SHA256e6d38f3b192ae3b83f889826db2f51438fe4975351bf3adc8f4138dc0fb2e807
SHA5123c2ce526021e7241393d8ed7dab174a4340aad5cb39246db3a5f6234409ba2440db9ea561da71e06d811b19c9756456eb5ae0adf37e7d8bb56009a2a9b292efa
-
Filesize
99KB
MD56c8a405b8243837682378cfbefa92001
SHA121a120c6fcca8aff536cb896586131376497bc86
SHA256a76c4d20c78a6b0e563567a215e14a05525c316bf4eb92e7d11de7e24ae0b7c2
SHA51212a75d7c4f9af4209a673c994609a15f464368e24eb61e8251a3f8c32a371825809f8197ea47428a150bc0c8ca7b5278c88c63cf9c20a7e60a95f4f98eea3de7
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
16.4MB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
35.5MB
-
Filesize
35.5MB
-
Filesize
11.2MB
-
Filesize
35.5MB
-
Filesize
1.3MB
-
Filesize
11.2MB
-
Filesize
35.5MB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
14.3MB
-
Filesize
1.0MB
-
Filesize
264KB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
2.8MB
-
Filesize
11.2MB
-
Filesize
34.0MB
-
Filesize
34.0MB
-
Filesize
2.8MB
-
Filesize
1.9MB
-
Filesize
472KB
-
Filesize
32KB
-
Filesize
1.3MB
-
Filesize
34.0MB
-
Filesize
2.8MB
-
Filesize
11.2MB
-
Filesize
2.8MB
-
Filesize
34.0MB
-
Filesize
34.0MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
4KB