Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
https://www.glarysoft.com/malware-hunter/
-
Sample
241109-a4yjzawmfn
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.glarysoft.com/malware-hunter/
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Extracted
Protocol: smtp- Host:
mail.ctdi.com.ph - Port:
587 - Username:
[email protected] - Password:
A#f+Y]H8iO4a
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.gizemetiket.com.tr - Port:
21 - Username:
pgizemM6 - Password:
giz95Ffg
Extracted
lumma
https://navygenerayk.store/api
Targets
-
-
Target
https://www.glarysoft.com/malware-hunter/
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Lumma family
-
Stealc family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
A potential corporate email address has been identified in the URL: %./2678@CDFRabcdefghilmnoprstuvwy
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Power Settings
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
5Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1