Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 12:04
Behavioral task
behavioral1
Sample
Zara+Perm-Cracked.rar
Resource
win10v2004-20240802-en
General
-
Target
Zara+Perm-Cracked.rar
-
Size
1.1MB
-
MD5
35650186e819c9d989962232dac3f1c0
-
SHA1
fd3f35ae36ad648dba0310ce9fbdcfe47b11790a
-
SHA256
08bfa123a60129592b815a499f6df0bf213d5653928cbe2ffe888e29e89b26ff
-
SHA512
22e4d1745df1839ffac0dfb8fac087c73828719e0a794dd364e90a7e48e7b92ce2664d1d5000d9f2825a7db8ce81c96b4d8cbf2065de9bb073e64b5b6211c449
-
SSDEEP
24576:baSfP+wLqs2WM7tioix6LDigmGOzDrHzUYvlksRWGgSp2HFFSZO9rhRgcw:bbX+wLD2lKmxm/zDrTUwjzNpyFT9rrS
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023483-13.dat family_agenttesla behavioral1/memory/724-16-0x0000000005AE0000-0x0000000005CF4000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CEeFtiHpoR\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\CEeFtiHpoR" 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation Lucky.exe -
Executes dropped EXE 19 IoCs
pid Process 724 Lucky.exe 3528 winxsrcsv64.exe 4556 winxsrcsv64.exe 3532 winxsrcsv64.exe 3096 winxsrcsv64.exe 2076 winxsrcsv64.exe 3656 winxsrcsv64.exe 4112 winxsrcsv64.exe 3892 winxsrcsv64.exe 2440 winxsrcsv64.exe 1296 winxsrcsv64.exe 3940 winxsrcsv64.exe 2464 winxsrcsv64.exe 2684 winxsrcsv64.exe 4748 winxsrcsv64.exe 5068 winxsrcsv64.exe 1868 winxsrcsv64.exe 1192 2.exe 2640 2.exe -
Loads dropped DLL 4 IoCs
pid Process 724 Lucky.exe 724 Lucky.exe 724 Lucky.exe 724 Lucky.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Globalization\Time Zone\winxsrcsv64.exe Lucky.exe File created C:\Windows\Globalization\Time Zone\iqvw64e.sys Lucky.exe File created C:\Windows\Globalization\Time Zone\skibnidi.bat Lucky.exe File created C:\Windows\IME\1.sys Lucky.exe File created C:\Windows\IME\2.exe Lucky.exe File created C:\Windows\Globalization\Time Zone\winxsrcsv64.sys Lucky.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1248 sc.exe 4752 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lucky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Lucky.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Lucky.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Lucky.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe -
Runs net.exe
-
Suspicious behavior: LoadsDriver 17 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 1192 2.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 2744 7zG.exe Token: 35 2744 7zG.exe Token: SeSecurityPrivilege 2744 7zG.exe Token: SeSecurityPrivilege 2744 7zG.exe Token: SeDebugPrivilege 724 Lucky.exe Token: SeLoadDriverPrivilege 1192 2.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2744 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 864 OpenWith.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 724 wrote to memory of 3528 724 Lucky.exe 107 PID 724 wrote to memory of 3528 724 Lucky.exe 107 PID 724 wrote to memory of 4556 724 Lucky.exe 109 PID 724 wrote to memory of 4556 724 Lucky.exe 109 PID 724 wrote to memory of 3532 724 Lucky.exe 111 PID 724 wrote to memory of 3532 724 Lucky.exe 111 PID 724 wrote to memory of 3096 724 Lucky.exe 113 PID 724 wrote to memory of 3096 724 Lucky.exe 113 PID 724 wrote to memory of 2076 724 Lucky.exe 115 PID 724 wrote to memory of 2076 724 Lucky.exe 115 PID 724 wrote to memory of 3656 724 Lucky.exe 117 PID 724 wrote to memory of 3656 724 Lucky.exe 117 PID 724 wrote to memory of 4112 724 Lucky.exe 119 PID 724 wrote to memory of 4112 724 Lucky.exe 119 PID 724 wrote to memory of 3892 724 Lucky.exe 121 PID 724 wrote to memory of 3892 724 Lucky.exe 121 PID 724 wrote to memory of 2440 724 Lucky.exe 123 PID 724 wrote to memory of 2440 724 Lucky.exe 123 PID 724 wrote to memory of 1296 724 Lucky.exe 125 PID 724 wrote to memory of 1296 724 Lucky.exe 125 PID 724 wrote to memory of 3940 724 Lucky.exe 127 PID 724 wrote to memory of 3940 724 Lucky.exe 127 PID 724 wrote to memory of 2464 724 Lucky.exe 129 PID 724 wrote to memory of 2464 724 Lucky.exe 129 PID 724 wrote to memory of 2684 724 Lucky.exe 131 PID 724 wrote to memory of 2684 724 Lucky.exe 131 PID 724 wrote to memory of 4748 724 Lucky.exe 133 PID 724 wrote to memory of 4748 724 Lucky.exe 133 PID 724 wrote to memory of 5068 724 Lucky.exe 135 PID 724 wrote to memory of 5068 724 Lucky.exe 135 PID 724 wrote to memory of 1868 724 Lucky.exe 137 PID 724 wrote to memory of 1868 724 Lucky.exe 137 PID 724 wrote to memory of 4920 724 Lucky.exe 139 PID 724 wrote to memory of 4920 724 Lucky.exe 139 PID 724 wrote to memory of 4920 724 Lucky.exe 139 PID 4920 wrote to memory of 2596 4920 cmd.exe 141 PID 4920 wrote to memory of 2596 4920 cmd.exe 141 PID 4920 wrote to memory of 2596 4920 cmd.exe 141 PID 2596 wrote to memory of 4892 2596 net.exe 142 PID 2596 wrote to memory of 4892 2596 net.exe 142 PID 2596 wrote to memory of 4892 2596 net.exe 142 PID 4920 wrote to memory of 3924 4920 cmd.exe 143 PID 4920 wrote to memory of 3924 4920 cmd.exe 143 PID 4920 wrote to memory of 3924 4920 cmd.exe 143 PID 3924 wrote to memory of 1524 3924 net.exe 144 PID 3924 wrote to memory of 1524 3924 net.exe 144 PID 3924 wrote to memory of 1524 3924 net.exe 144 PID 4920 wrote to memory of 1248 4920 cmd.exe 146 PID 4920 wrote to memory of 1248 4920 cmd.exe 146 PID 4920 wrote to memory of 1248 4920 cmd.exe 146 PID 4920 wrote to memory of 4752 4920 cmd.exe 147 PID 4920 wrote to memory of 4752 4920 cmd.exe 147 PID 4920 wrote to memory of 4752 4920 cmd.exe 147 PID 724 wrote to memory of 1192 724 Lucky.exe 149 PID 724 wrote to memory of 1192 724 Lucky.exe 149 PID 724 wrote to memory of 3092 724 Lucky.exe 151 PID 724 wrote to memory of 3092 724 Lucky.exe 151 PID 724 wrote to memory of 3092 724 Lucky.exe 151 PID 3092 wrote to memory of 2640 3092 cmd.exe 153 PID 3092 wrote to memory of 2640 3092 cmd.exe 153
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Zara+Perm-Cracked.rar1⤵
- Modifies registry class
PID:456
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:864
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4724
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap24929:92:7zEvent66471⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2744
-
C:\Users\Admin\Desktop\Lucky.exe"C:\Users\Admin\Desktop\Lucky.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /SU AUTO2⤵
- Executes dropped EXE
PID:3528
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /BS WG6NYQOE4S9DF3XF2⤵
- Executes dropped EXE
PID:4556
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /CS WG6NYQOE4S9DF3XF2⤵
- Executes dropped EXE
PID:3532
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /SS WG6NYQOE4S9DF3XF2⤵
- Executes dropped EXE
PID:3096
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /SM "System manufacturer"2⤵
- Executes dropped EXE
PID:2076
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /SP "System Product Name"2⤵
- Executes dropped EXE
PID:3656
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /SV "System Version"2⤵
- Executes dropped EXE
PID:4112
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /SK "SKU"2⤵
- Executes dropped EXE
PID:3892
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /BT "Default string"2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /BLC "Default string"2⤵
- Executes dropped EXE
PID:1296
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /CM "Default string"2⤵
- Executes dropped EXE
PID:3940
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /CV "Default string"2⤵
- Executes dropped EXE
PID:2464
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /CA "Default string"2⤵
- Executes dropped EXE
PID:2684
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /CSK "Default string"2⤵
- Executes dropped EXE
PID:4748
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /SF "To be filled by O.E.M."2⤵
- Executes dropped EXE
PID:5068
-
-
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe"winxsrcsv64.exe" /PSN WG6NYQOE4S9DF3XF2⤵
- Executes dropped EXE
PID:1868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Globalization\Time Zone\skibnidi.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\net.exenet stop winmgmt /y3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop winmgmt /y4⤵
- System Location Discovery: System Language Discovery
PID:4892
-
-
-
C:\Windows\SysWOW64\net.exenet start winmgmt /y3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start winmgmt /y4⤵
- System Location Discovery: System Language Discovery
PID:1524
-
-
-
C:\Windows\SysWOW64\sc.exesc stop winmgmt3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1248
-
-
C:\Windows\SysWOW64\sc.exesc start winmgmt3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4752
-
-
-
C:\Windows\IME\2.exe"C:\Windows\IME\2.exe" C:\Windows\IME\1.sys2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C C:\Windows\IME\2.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\IME\2.exeC:\Windows\IME\2.exe3⤵
- Executes dropped EXE
PID:2640
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:3176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:4164
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD57bbf428fb683748a73594b9791a39f96
SHA1341d30a12cbbd2e8c654fb1ddc382017ac83b2c2
SHA256a870923034e7f135a4e34a3192c39fea8bf2f8f6a82e700b547101245e5f9de9
SHA5121770ee20d88f83cfe343800a4dbc95eff0c9c253e2f42cd4d52baac959e1c8385c1c208610b10eeb96782283010ecc36d51ecce9bb815d3ee480024936327c58
-
Filesize
2.1MB
MD5278752062981db6fe27ba55f5099b8ae
SHA18446637986cf4a24e9135ee5c54f3170600e1e83
SHA256538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b
SHA512142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5
-
Filesize
73KB
MD5352b567c9c34359d9908b7f74b5f7466
SHA189c3e1ceb3fe9cfb2b760dbeb314cc5807a82191
SHA256833af31aba36d0b1d147081d471ae86e1d9d426a1a568123d21c515aa49ebece
SHA512188f13a4ab58dbc34ef04ba3abd2e7fad53bd28306a65ee2eb4164fb05a7646e30ef3f80a126e5ec460a711faadc181c3fa023adf1bc4b176bcb732efae66344
-
Filesize
90B
MD580ce921d39b0c2739e3edca44fcf253c
SHA19261684c7ab28979d40656ae0bc42f73200509cc
SHA25640a74428be51efaf4f65f27312fc3e8946338817b7a07d67b12fd7b837bdb546
SHA5121a085b4633a221c4dd312b13524823dc98b1851ece5b8d90392108563767ed741eb982948ae6ba92815a579313c839b80b4c84fe0752212744e7d127781e10e7
-
Filesize
379KB
MD591a31f23f3e50bd0a722e605687aed1e
SHA1f56fa26aaccdd6eb3f1ea53f06674b01327cd7c4
SHA256818d6d87d0facc03354bf7b0748467cf61040031248ba8b46045ed9dbe4053d8
SHA512649ee112c0e9d0c63c199f0dee84332f915af336dd7ad0ff70cbd49cc148c832182ff748c67fe1dee958215ea4a095545d1a93fdeb90fbdeb6f98076b499aab0
-
Filesize
121KB
MD500047e72bb99132267a4bec3158917a2
SHA1caf72159dba3bf2af1e6f68cbcbbab7b981a4f0e
SHA256e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4
SHA5127f573d3a8a68a491c45009ce1beabc8280ccf50e10048b019146e28892c8bf3e90519721682dec5a53aa2c623af952c9957da3cf5338cded801fc7dedce99dc5