Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 09:43
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_20240812_081403_007266.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_20240812_081403_007266.exe
Resource
win10v2004-20240802-en
General
-
Target
Halkbank_Ekstre_20240812_081403_007266.exe
-
Size
1.4MB
-
MD5
fb01a854283305bb8180075a0ffe68db
-
SHA1
a3f9e9f93466ea7edfb45bdcaca73e2019dcd21a
-
SHA256
9bf1760a20004fc2edd6334f613ea2fbb8e71ebac2f145b79a8782839b1c412e
-
SHA512
a29950a535aa9e118dd615d830dbe7a2452794c4dddc2d5dcc6e5fd51dd580a8890e8383c7ebe28bf2e34a1c4aeed87a066d1d366e0bd85f29f616150107e1c6
-
SSDEEP
24576:UAHnh+eWsN3skA4RV1Hom2KXMmHawpXQzG/WmNZ5:jh+ZkldoPK8YawpXQzaz
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
pid Process 4196 name.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00090000000234e8-16.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4196 set thread context of 2196 4196 name.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halkbank_Ekstre_20240812_081403_007266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2196 RegSvcs.exe 2196 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4196 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2196 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3556 Halkbank_Ekstre_20240812_081403_007266.exe 3556 Halkbank_Ekstre_20240812_081403_007266.exe 4196 name.exe 4196 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 3556 Halkbank_Ekstre_20240812_081403_007266.exe 3556 Halkbank_Ekstre_20240812_081403_007266.exe 4196 name.exe 4196 name.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3556 wrote to memory of 4196 3556 Halkbank_Ekstre_20240812_081403_007266.exe 87 PID 3556 wrote to memory of 4196 3556 Halkbank_Ekstre_20240812_081403_007266.exe 87 PID 3556 wrote to memory of 4196 3556 Halkbank_Ekstre_20240812_081403_007266.exe 87 PID 4196 wrote to memory of 2196 4196 name.exe 90 PID 4196 wrote to memory of 2196 4196 name.exe 90 PID 4196 wrote to memory of 2196 4196 name.exe 90 PID 4196 wrote to memory of 2196 4196 name.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20240812_081403_007266.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20240812_081403_007266.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20240812_081403_007266.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20240812_081403_007266.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
265KB
MD58506cab27e45e13b61e274d4afd0773c
SHA1ab366868718909fc783a6d1f43d8ee2036e90f62
SHA2565392d1cba5fef681a4076131b7be081880da2123f8ebbaddb3bcdcec96d8088f
SHA512d7e09b8ebb3a5212a590dddea3f2d850ee26be115aa185992cd8d5dea534c94fe48d1d007241fc60a8cfd8089228ed399b4706036d602a29dd05e3fedf50b6bb
-
Filesize
28KB
MD5e004dbccf6a58f9b405050ba8d9ef829
SHA1357783514e0b35b194f7363d3e6756f8f7556e84
SHA256f7f9204a574ce9a8f01df81a993690a08fe3b9812c8fed8f703977bda842fea5
SHA5128fa7c399033e8301541754f7704b133a4c9a94fadb5794c8d4fc903991896291a7553aac4b058fb618d199a4e25e21813c07b5ced53f2c972f2abb958d3994d6
-
Filesize
1.4MB
MD5fb01a854283305bb8180075a0ffe68db
SHA1a3f9e9f93466ea7edfb45bdcaca73e2019dcd21a
SHA2569bf1760a20004fc2edd6334f613ea2fbb8e71ebac2f145b79a8782839b1c412e
SHA512a29950a535aa9e118dd615d830dbe7a2452794c4dddc2d5dcc6e5fd51dd580a8890e8383c7ebe28bf2e34a1c4aeed87a066d1d366e0bd85f29f616150107e1c6