Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    85s
  • max time network
    63s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2024, 22:57

General

  • Target

    Debug.rar

  • Size

    1.5MB

  • MD5

    793fa8a48839b30426a57924e9708e7b

  • SHA1

    53e38c7556390ba84bf1cf5402ba7c73b9424fb8

  • SHA256

    4d174b72d4885a6099bb775a4cfafd62569195287d657ad23b42019a4761d698

  • SHA512

    7c45128232bc215916fb64db977b7105c064568bf482cb2193f9530e2d7738e91cbcd50a58989ae11c412abafb82b4cabdc17509b32fbcf45066aae27444497d

  • SSDEEP

    24576:n1KK6ImbokiLRq3dieSQiua9oxaAPaNTEZc/uhSLSYcNt/V9Dvn+WfGqqUFiygUl:ncCoo5L4Nn/s+xRPa8cY9DvnHbrkyUf8

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Debug.rar
    1⤵
    • Modifies registry class
    PID:3248
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5068
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:720
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Debug\" -spe -an -ai#7zMap9388:68:7zEvent7805
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1548
    • C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe
      "C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:2092
    • C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe
      "C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:4204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsFormsApp2.exe.log

      Filesize

      1KB

      MD5

      7ebe314bf617dc3e48b995a6c352740c

      SHA1

      538f643b7b30f9231a3035c448607f767527a870

      SHA256

      48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

      SHA512

      0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

    • C:\Users\Admin\Desktop\Debug\Guna.UI2.dll

      Filesize

      2.1MB

      MD5

      c19e9e6a4bc1b668d19505a0437e7f7e

      SHA1

      73be712aef4baa6e9dabfc237b5c039f62a847fa

      SHA256

      9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

      SHA512

      b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    • C:\Users\Admin\Desktop\Debug\Siticone.UI.dll

      Filesize

      1.3MB

      MD5

      750c58af2e56b6addecffcf152520ab8

      SHA1

      14995e7f1d12498606d9d209d78d55fe6fd87802

      SHA256

      27c56a28cbde094157206da1bfcd7a395111ab97b8a5ff600b11c2175dcefb26

      SHA512

      2179790e23f61b3dfea828457f8609279c70b1e071cddc73b1dbda02caa664e0aae2553fc24a4956f9e89c477d66b1a704bde26fa23bc6db26c19e18db00abb5

    • C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe

      Filesize

      504KB

      MD5

      7e873ea844ca676ad0daaa3ab3ea18f0

      SHA1

      62a93ae492a92e2dbd079f7a6fc8ebfd2ffc64ee

      SHA256

      9d9a558671f4b14e8edf2b62c26db0535de697dc181f5954b9e648b7e007a513

      SHA512

      9c65c7476a60b6d8584b2d4c2c20a7038deac1b20ef51d335191364bed33eef0d74cfbf25e8f591fca5e763d299577557971354c9d5c795c6f53c2f6522a9848

    • memory/2092-8-0x0000000000130000-0x00000000001B4000-memory.dmp

      Filesize

      528KB

    • memory/2092-9-0x0000000005000000-0x00000000055A4000-memory.dmp

      Filesize

      5.6MB

    • memory/2092-10-0x0000000004A50000-0x0000000004AE2000-memory.dmp

      Filesize

      584KB

    • memory/2092-11-0x0000000004D30000-0x0000000004D3A000-memory.dmp

      Filesize

      40KB

    • memory/2092-15-0x00000000055B0000-0x00000000057C4000-memory.dmp

      Filesize

      2.1MB

    • memory/2092-19-0x0000000008BB0000-0x0000000008CFE000-memory.dmp

      Filesize

      1.3MB

    • memory/2092-20-0x00000000089B0000-0x00000000089C4000-memory.dmp

      Filesize

      80KB

    • memory/4204-28-0x0000000008B30000-0x0000000008B44000-memory.dmp

      Filesize

      80KB