Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Sleettz Vi...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sleettz Virtualization.exe

  • Size

    2.0MB

  • MD5

    8bac2777669c74c9e7d369f58abb1475

  • SHA1

    9aa1508d292c4ac969f421a45a2d535bf4236030

  • SHA256

    43ad408d0653a7cb4ba9e37526d7da5363b9dfa1cb3316bc514864bdeae375fc

  • SHA512

    abb3b551ab270b0147559c2899605992a656f079d8114ebff5e5870e0022ba74d2d17d9ac6f6d7f85d08be4d52c47088d72ca76af9f119ab59762d32d89b53b1

  • SSDEEP

    49152:K1/2SjKR1NNZHNNNNNNNXv2N8FR1NNZHNNNNNNNXv2N8lITYbNbNWo4kSH3OqtwC:42CKR1NNZHNNNNNNNXv2N8FR1NNZHNNO

Score
10/10
agenttesladiscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe
    "C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Program Files\mp.exe
      "C:\Program Files\mp.exe" C:\Windows\IME\sss.sys
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\mp.exe
    Filesize

    143KB

    MD5

    0f06d3ddfd5ad267aa4c2f98d726d9d1

    SHA1

    78064fb5a3f8d8430e12f5c4608164033c50f5be

    SHA256

    89f9872f9aafe32750428744857aef76cc80ddbaf135dc49086e886a183cb1f3

    SHA512

    a0cccc4623f4a0317491259bc3a514655b292ee78720584f26847d951e7490bbca99a0205e05c0ac7530ff9a43c0cd089a7c08ab534bf5ea70fb9a23b2571c9d

    Download Submit

  • memory/4856-8-0x0000000006FA0000-0x00000000071B4000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4856-10-0x000000000AEF0000-0x000000000AFA2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4856-3-0x0000000005B60000-0x0000000005BF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4856-4-0x0000000005C50000-0x0000000005CB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4856-5-0x0000000074D40000-0x00000000754F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4856-6-0x0000000006370000-0x0000000006382000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4856-7-0x00000000063D0000-0x00000000063DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4856-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4856-2-0x00000000063F0000-0x0000000006994000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4856-11-0x000000000AFD0000-0x000000000AFF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4856-9-0x0000000074D40000-0x00000000754F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4856-12-0x000000000B000000-0x000000000B354000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4856-14-0x000000000B3C0000-0x000000000B3FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4856-15-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4856-16-0x0000000074D40000-0x00000000754F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4856-17-0x0000000074D40000-0x00000000754F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4856-1-0x0000000000FB0000-0x00000000011C0000-memory.dmp

    Filesize

    2.1MB

    Download