Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2024, 22:57
General
-
Target
Debug.rar
-
Size
1.5MB
-
MD5
793fa8a48839b30426a57924e9708e7b
-
SHA1
53e38c7556390ba84bf1cf5402ba7c73b9424fb8
-
SHA256
4d174b72d4885a6099bb775a4cfafd62569195287d657ad23b42019a4761d698
-
SHA512
7c45128232bc215916fb64db977b7105c064568bf482cb2193f9530e2d7738e91cbcd50a58989ae11c412abafb82b4cabdc17509b32fbcf45066aae27444497d
-
SSDEEP
24576:n1KK6ImbokiLRq3dieSQiua9oxaAPaNTEZc/uhSLSYcNt/V9Dvn+WfGqqUFiygUl:ncCoo5L4Nn/s+xRPa8cY9DvnHbrkyUf8
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023509-12.dat family_agenttesla behavioral1/memory/2092-15-0x00000000055B0000-0x00000000057C4000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
pid Process 2092 WindowsFormsApp2.exe 4204 WindowsFormsApp2.exe -
Loads dropped DLL 8 IoCs
pid Process 2092 WindowsFormsApp2.exe 2092 WindowsFormsApp2.exe 2092 WindowsFormsApp2.exe 2092 WindowsFormsApp2.exe 4204 WindowsFormsApp2.exe 4204 WindowsFormsApp2.exe 4204 WindowsFormsApp2.exe 4204 WindowsFormsApp2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsFormsApp2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsFormsApp2.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer WindowsFormsApp2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion WindowsFormsApp2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS WindowsFormsApp2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer WindowsFormsApp2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion WindowsFormsApp2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS WindowsFormsApp2.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 1548 7zG.exe Token: 35 1548 7zG.exe Token: SeSecurityPrivilege 1548 7zG.exe Token: SeSecurityPrivilege 1548 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1548 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5068 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Debug.rar1⤵
- Modifies registry class
PID:3248
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5068
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:720
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Debug\" -spe -an -ai#7zMap9388:68:7zEvent78051⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1548
-
C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe"C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2092
-
C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe"C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e
-
Filesize
2.1MB
MD5c19e9e6a4bc1b668d19505a0437e7f7e
SHA173be712aef4baa6e9dabfc237b5c039f62a847fa
SHA2569ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
SHA512b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
Filesize
1.3MB
MD5750c58af2e56b6addecffcf152520ab8
SHA114995e7f1d12498606d9d209d78d55fe6fd87802
SHA25627c56a28cbde094157206da1bfcd7a395111ab97b8a5ff600b11c2175dcefb26
SHA5122179790e23f61b3dfea828457f8609279c70b1e071cddc73b1dbda02caa664e0aae2553fc24a4956f9e89c477d66b1a704bde26fa23bc6db26c19e18db00abb5
-
Filesize
504KB
MD57e873ea844ca676ad0daaa3ab3ea18f0
SHA162a93ae492a92e2dbd079f7a6fc8ebfd2ffc64ee
SHA2569d9a558671f4b14e8edf2b62c26db0535de697dc181f5954b9e648b7e007a513
SHA5129c65c7476a60b6d8584b2d4c2c20a7038deac1b20ef51d335191364bed33eef0d74cfbf25e8f591fca5e763d299577557971354c9d5c795c6f53c2f6522a9848