Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
302s -
max time network
303s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 14:53
Static task
static1
General
-
Target
Sleettz Virtualization.exe
-
Size
2.0MB
-
MD5
c5d37242066a5810109016a247888e71
-
SHA1
a231d34d5ffb94b7b8eaefbb971a2bfc73ce2774
-
SHA256
3ede56d4a5079a09fecb2cb00fb88ac1b9c819dec029c276f51c1103554eff60
-
SHA512
ec54825b91dba5c61c4b8d7fa51d929e0bfcca881a53eda1667b2af223595b596d792aa7beabdf9b9bf746a0d97bf57ca48879e5c79f2079bd098e70d6565347
-
SSDEEP
49152:WUfWcR1NNZHNNNNNNNXv2N8FR1NNZHNNNNNNNXv2N8lITYbNbNWo4kSH3OqtwIrM:WU+cR1NNZHNNNNNNNXv2N8FR1NNZHNN1
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/3480-7-0x0000000006430000-0x0000000006644000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Sleettz Virtualization.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Sleettz Virtualization.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sleettz Virtualization.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sleettz Virtualization.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Sleettz Virtualization.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Sleettz Virtualization.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sleettz Virtualization.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Sleettz Virtualization.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Sleettz Virtualization.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Sleettz Virtualization.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe 3480 Sleettz Virtualization.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3480 Sleettz Virtualization.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe"C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480