Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 15:28
Static task
static1
Behavioral task
behavioral1
Sample
BankPayment38735.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
BankPayment38735.exe
Resource
win10v2004-20240802-en
General
-
Target
BankPayment38735.exe
-
Size
717KB
-
MD5
877e46a39f78d56e54ce0295fe44fe4a
-
SHA1
eeb860d6422841ce762fe25d79ff964d20d83414
-
SHA256
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
-
SHA512
285412508839fd3e1e33a0b2e93b3241a2e2b4353ae41d3ad7d078276efa1556a0a8a7932952eaebb6805321fe6714def5947fbad0b5fea6eecf4c15be27ceab
-
SSDEEP
12288:V3T6rwP58TpjBoM85qinZiIJPt05stSfaZ1Fyi+6iLB:crwB8TVBa5HskP25stSfaZ1wi+6G
Malware Config
Extracted
Protocol: ftp- Host:
ftp.haliza.com.my - Port:
21 - Username:
[email protected] - Password:
JesusChrist007$
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.haliza.com.my - Port:
21 - Username:
[email protected] - Password:
JesusChrist007$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4104 powershell.exe 4264 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation BankPayment38735.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sgxIb = "C:\\Users\\Admin\\AppData\\Roaming\\sgxIb\\sgxIb.exe" BankPayment38735.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 54 api.ipify.org 56 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3724 set thread context of 2016 3724 BankPayment38735.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BankPayment38735.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BankPayment38735.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3724 BankPayment38735.exe 4104 powershell.exe 4264 powershell.exe 3724 BankPayment38735.exe 4264 powershell.exe 2016 BankPayment38735.exe 2016 BankPayment38735.exe 4104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3724 BankPayment38735.exe Token: SeDebugPrivilege 4104 powershell.exe Token: SeDebugPrivilege 4264 powershell.exe Token: SeDebugPrivilege 2016 BankPayment38735.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2016 BankPayment38735.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3724 wrote to memory of 4104 3724 BankPayment38735.exe 88 PID 3724 wrote to memory of 4104 3724 BankPayment38735.exe 88 PID 3724 wrote to memory of 4104 3724 BankPayment38735.exe 88 PID 3724 wrote to memory of 4264 3724 BankPayment38735.exe 90 PID 3724 wrote to memory of 4264 3724 BankPayment38735.exe 90 PID 3724 wrote to memory of 4264 3724 BankPayment38735.exe 90 PID 3724 wrote to memory of 3584 3724 BankPayment38735.exe 92 PID 3724 wrote to memory of 3584 3724 BankPayment38735.exe 92 PID 3724 wrote to memory of 3584 3724 BankPayment38735.exe 92 PID 3724 wrote to memory of 2016 3724 BankPayment38735.exe 95 PID 3724 wrote to memory of 2016 3724 BankPayment38735.exe 95 PID 3724 wrote to memory of 2016 3724 BankPayment38735.exe 95 PID 3724 wrote to memory of 2016 3724 BankPayment38735.exe 95 PID 3724 wrote to memory of 2016 3724 BankPayment38735.exe 95 PID 3724 wrote to memory of 2016 3724 BankPayment38735.exe 95 PID 3724 wrote to memory of 2016 3724 BankPayment38735.exe 95 PID 3724 wrote to memory of 2016 3724 BankPayment38735.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\BankPayment38735.exe"C:\Users\Admin\AppData\Local\Temp\BankPayment38735.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BankPayment38735.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KTImczzgnf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KTImczzgnf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA8C.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3584
-
-
C:\Users\Admin\AppData\Local\Temp\BankPayment38735.exe"C:\Users\Admin\AppData\Local\Temp\BankPayment38735.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD57caf6220b712255c861e015e89412cde
SHA1cd202802f2c1dead566742279cb5e7b041f5553f
SHA2560394711d13c6c56ec2026b91ec3274e0b7147015854db7292cd718c59a7deefa
SHA512d47aa0768a0d4d856dbbe46bdbc5dd112f20ef5b219b2ffdc93b2daecdc4bf4b91949c8eb2c529b6e285ed3d6b735980a545690939affef86ee1685c0a113601
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5b78cfe9f94181eb86eb9761336a950b9
SHA113745f58edb0d9d9c06eb4c9a387f60f419f68d1
SHA25695be2d05507cc380c8d4056845dc3b4b1784ffd400171ceb7bd9effbb1ee73c9
SHA51292a814f7fd896e361e87de6e68ed22e871086f960c5630fd8f54640c1260a650547723d4f4cafea57ec452bfe647ef6550becefc2840bf9c5d8f00230ba4ff0d