Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 15:17
Static task
static1
General
-
Target
Sleettz Virtualization.exe
-
Size
2.0MB
-
MD5
393a0f8a3bacd8ade71d1874fde3568e
-
SHA1
9a56d4def655c0805714b32198000d0b177694da
-
SHA256
85a8d0cee047255ca84d6f48058a553a783745b13196151c5dc34ade36599a0e
-
SHA512
672ded8eaa8f1857c55b6cf6cdae1977c01a7538217fb3aecdc2f1339e94e2882495408772b6c935755c38165520c66850240f1302ba12d005945d8e354d48cb
-
SSDEEP
49152:X1/wXVtR1NNZHNNNNNNNXv2N8FR1NNZHNNNNNNNXv2N8lITYbNbNWo4kSH3OqtwE:lwFtR1NNZHNNNNNNNXv2N8FR1NNZHNNQ
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/544-8-0x0000000006440000-0x0000000006654000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Sleettz Virtualization.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Sleettz Virtualization.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sleettz Virtualization.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sleettz Virtualization.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Sleettz Virtualization.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Sleettz Virtualization.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sleettz Virtualization.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 708 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Sleettz Virtualization.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Sleettz Virtualization.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Sleettz Virtualization.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe 544 Sleettz Virtualization.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 544 Sleettz Virtualization.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 544 wrote to memory of 3060 544 Sleettz Virtualization.exe 93 PID 544 wrote to memory of 3060 544 Sleettz Virtualization.exe 93 PID 544 wrote to memory of 3060 544 Sleettz Virtualization.exe 93 PID 3060 wrote to memory of 4468 3060 cmd.exe 95 PID 3060 wrote to memory of 4468 3060 cmd.exe 95 PID 3060 wrote to memory of 4468 3060 cmd.exe 95 PID 4468 wrote to memory of 708 4468 cmd.exe 97 PID 4468 wrote to memory of 708 4468 cmd.exe 97 PID 4468 wrote to memory of 708 4468 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe"C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:708
-
-
-