Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    109s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 12:04

General

  • Target

    Zara+Perm-Cracked.rar

  • Size

    1.1MB

  • MD5

    35650186e819c9d989962232dac3f1c0

  • SHA1

    fd3f35ae36ad648dba0310ce9fbdcfe47b11790a

  • SHA256

    08bfa123a60129592b815a499f6df0bf213d5653928cbe2ffe888e29e89b26ff

  • SHA512

    22e4d1745df1839ffac0dfb8fac087c73828719e0a794dd364e90a7e48e7b92ce2664d1d5000d9f2825a7db8ce81c96b4d8cbf2065de9bb073e64b5b6211c449

  • SSDEEP

    24576:baSfP+wLqs2WM7tioix6LDigmGOzDrHzUYvlksRWGgSp2HFFSZO9rhRgcw:bbX+wLD2lKmxm/zDrTUwjzNpyFT9rrS

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 2 IoCs
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Runs net.exe
  • Suspicious behavior: LoadsDriver 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Zara+Perm-Cracked.rar
    1⤵
    • Modifies registry class
    PID:456
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:864
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4724
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap24929:92:7zEvent6647
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2744
    • C:\Users\Admin\Desktop\Lucky.exe
      "C:\Users\Admin\Desktop\Lucky.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /SU AUTO
        2⤵
        • Executes dropped EXE
        PID:3528
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /BS WG6NYQOE4S9DF3XF
        2⤵
        • Executes dropped EXE
        PID:4556
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /CS WG6NYQOE4S9DF3XF
        2⤵
        • Executes dropped EXE
        PID:3532
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /SS WG6NYQOE4S9DF3XF
        2⤵
        • Executes dropped EXE
        PID:3096
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /SM "System manufacturer"
        2⤵
        • Executes dropped EXE
        PID:2076
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /SP "System Product Name"
        2⤵
        • Executes dropped EXE
        PID:3656
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /SV "System Version"
        2⤵
        • Executes dropped EXE
        PID:4112
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /SK "SKU"
        2⤵
        • Executes dropped EXE
        PID:3892
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /BT "Default string"
        2⤵
        • Executes dropped EXE
        PID:2440
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /BLC "Default string"
        2⤵
        • Executes dropped EXE
        PID:1296
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /CM "Default string"
        2⤵
        • Executes dropped EXE
        PID:3940
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /CV "Default string"
        2⤵
        • Executes dropped EXE
        PID:2464
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /CA "Default string"
        2⤵
        • Executes dropped EXE
        PID:2684
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /CSK "Default string"
        2⤵
        • Executes dropped EXE
        PID:4748
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /SF "To be filled by O.E.M."
        2⤵
        • Executes dropped EXE
        PID:5068
      • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
        "winxsrcsv64.exe" /PSN WG6NYQOE4S9DF3XF
        2⤵
        • Executes dropped EXE
        PID:1868
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Windows\Globalization\Time Zone\skibnidi.bat" "
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\SysWOW64\net.exe
          net stop winmgmt /y
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop winmgmt /y
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4892
        • C:\Windows\SysWOW64\net.exe
          net start winmgmt /y
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3924
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start winmgmt /y
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1524
        • C:\Windows\SysWOW64\sc.exe
          sc stop winmgmt
          3⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1248
        • C:\Windows\SysWOW64\sc.exe
          sc start winmgmt
          3⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:4752
      • C:\Windows\IME\2.exe
        "C:\Windows\IME\2.exe" C:\Windows\IME\1.sys
        2⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:1192
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C C:\Windows\IME\2.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3092
        • C:\Windows\IME\2.exe
          C:\Windows\IME\2.exe
          3⤵
          • Executes dropped EXE
          PID:2640
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
      1⤵
        PID:3176
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
        1⤵
          PID:4164

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\Bunifu.UI.WinForms.dll

          Filesize

          1.3MB

          MD5

          7bbf428fb683748a73594b9791a39f96

          SHA1

          341d30a12cbbd2e8c654fb1ddc382017ac83b2c2

          SHA256

          a870923034e7f135a4e34a3192c39fea8bf2f8f6a82e700b547101245e5f9de9

          SHA512

          1770ee20d88f83cfe343800a4dbc95eff0c9c253e2f42cd4d52baac959e1c8385c1c208610b10eeb96782283010ecc36d51ecce9bb815d3ee480024936327c58

        • C:\Users\Admin\Desktop\Guna.UI2.dll

          Filesize

          2.1MB

          MD5

          278752062981db6fe27ba55f5099b8ae

          SHA1

          8446637986cf4a24e9135ee5c54f3170600e1e83

          SHA256

          538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b

          SHA512

          142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5

        • C:\Users\Admin\Desktop\Lucky.exe

          Filesize

          73KB

          MD5

          352b567c9c34359d9908b7f74b5f7466

          SHA1

          89c3e1ceb3fe9cfb2b760dbeb314cc5807a82191

          SHA256

          833af31aba36d0b1d147081d471ae86e1d9d426a1a568123d21c515aa49ebece

          SHA512

          188f13a4ab58dbc34ef04ba3abd2e7fad53bd28306a65ee2eb4164fb05a7646e30ef3f80a126e5ec460a711faadc181c3fa023adf1bc4b176bcb732efae66344

        • C:\Windows\Globalization\Time Zone\skibnidi.bat

          Filesize

          90B

          MD5

          80ce921d39b0c2739e3edca44fcf253c

          SHA1

          9261684c7ab28979d40656ae0bc42f73200509cc

          SHA256

          40a74428be51efaf4f65f27312fc3e8946338817b7a07d67b12fd7b837bdb546

          SHA512

          1a085b4633a221c4dd312b13524823dc98b1851ece5b8d90392108563767ed741eb982948ae6ba92815a579313c839b80b4c84fe0752212744e7d127781e10e7

        • C:\Windows\Globalization\Time Zone\winxsrcsv64.exe

          Filesize

          379KB

          MD5

          91a31f23f3e50bd0a722e605687aed1e

          SHA1

          f56fa26aaccdd6eb3f1ea53f06674b01327cd7c4

          SHA256

          818d6d87d0facc03354bf7b0748467cf61040031248ba8b46045ed9dbe4053d8

          SHA512

          649ee112c0e9d0c63c199f0dee84332f915af336dd7ad0ff70cbd49cc148c832182ff748c67fe1dee958215ea4a095545d1a93fdeb90fbdeb6f98076b499aab0

        • C:\Windows\IME\2.exe

          Filesize

          121KB

          MD5

          00047e72bb99132267a4bec3158917a2

          SHA1

          caf72159dba3bf2af1e6f68cbcbbab7b981a4f0e

          SHA256

          e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4

          SHA512

          7f573d3a8a68a491c45009ce1beabc8280ccf50e10048b019146e28892c8bf3e90519721682dec5a53aa2c623af952c9957da3cf5338cded801fc7dedce99dc5

        • memory/724-9-0x0000000005310000-0x00000000058B4000-memory.dmp

          Filesize

          5.6MB

        • memory/724-10-0x0000000004E50000-0x0000000004EE2000-memory.dmp

          Filesize

          584KB

        • memory/724-11-0x0000000004E00000-0x0000000004E12000-memory.dmp

          Filesize

          72KB

        • memory/724-12-0x0000000005020000-0x000000000502A000-memory.dmp

          Filesize

          40KB

        • memory/724-16-0x0000000005AE0000-0x0000000005CF4000-memory.dmp

          Filesize

          2.1MB

        • memory/724-17-0x0000000008800000-0x000000000883C000-memory.dmp

          Filesize

          240KB

        • memory/724-8-0x0000000000450000-0x0000000000468000-memory.dmp

          Filesize

          96KB

        • memory/724-21-0x00000000093E0000-0x0000000009530000-memory.dmp

          Filesize

          1.3MB