Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 15:24
Static task
static1
Behavioral task
behavioral1
Sample
Sleettz Virtualization.exe
Resource
win10v2004-20240802-en
General
-
Target
Sleettz Virtualization.exe
-
Size
2.0MB
-
MD5
8bac2777669c74c9e7d369f58abb1475
-
SHA1
9aa1508d292c4ac969f421a45a2d535bf4236030
-
SHA256
43ad408d0653a7cb4ba9e37526d7da5363b9dfa1cb3316bc514864bdeae375fc
-
SHA512
abb3b551ab270b0147559c2899605992a656f079d8114ebff5e5870e0022ba74d2d17d9ac6f6d7f85d08be4d52c47088d72ca76af9f119ab59762d32d89b53b1
-
SSDEEP
49152:K1/2SjKR1NNZHNNNNNNNXv2N8FR1NNZHNNNNNNNXv2N8lITYbNbNWo4kSH3OqtwC:42CKR1NNZHNNNNNNNXv2N8FR1NNZHNNO
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/4856-8-0x0000000006FA0000-0x00000000071B4000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Sleettz Virtualization.exe -
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Sleettz Virtualization.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sKvMAvQBrZZIMEIeVTvSmLG\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\sKvMAvQBrZZIMEIeVTvSmLG" mp.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sleettz Virtualization.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sleettz Virtualization.exe -
Executes dropped EXE 1 IoCs
pid Process 2788 mp.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Sleettz Virtualization.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Sleettz Virtualization.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\mp.exe Sleettz Virtualization.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\IME\sss.sys Sleettz Virtualization.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sleettz Virtualization.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Sleettz Virtualization.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Sleettz Virtualization.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Sleettz Virtualization.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber Sleettz Virtualization.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Sleettz Virtualization.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber = "1OLCSTNLKV" Sleettz Virtualization.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Sleettz Virtualization.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 2788 mp.exe 2788 mp.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe 4856 Sleettz Virtualization.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2788 mp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4856 Sleettz Virtualization.exe Token: SeLoadDriverPrivilege 2788 mp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4856 Sleettz Virtualization.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4856 wrote to memory of 2788 4856 Sleettz Virtualization.exe 94 PID 4856 wrote to memory of 2788 4856 Sleettz Virtualization.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe"C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Program Files\mp.exe"C:\Program Files\mp.exe" C:\Windows\IME\sss.sys2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD50f06d3ddfd5ad267aa4c2f98d726d9d1
SHA178064fb5a3f8d8430e12f5c4608164033c50f5be
SHA25689f9872f9aafe32750428744857aef76cc80ddbaf135dc49086e886a183cb1f3
SHA512a0cccc4623f4a0317491259bc3a514655b292ee78720584f26847d951e7490bbca99a0205e05c0ac7530ff9a43c0cd089a7c08ab534bf5ea70fb9a23b2571c9d