Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
doc02417120024.exe
Resource
win7-20240903-en
General
-
Target
doc02417120024.exe
-
Size
950KB
-
MD5
bd28f9a835c67ce45b3a3ca02f6737a2
-
SHA1
16dc478690c24f29b52186f0ed8c152007fdbaeb
-
SHA256
2f089d43e47839f07590fc97fbd2bbe91f08ff02d50b3a6b7fe68f3e1a81026d
-
SHA512
c811d48001aade05a917e89770277a0af0a5f10639c1dd63c66d99728650c877d74f843ab4c9f57847f1654fe7240606072c51383a90811ec6aeb62ee91e2290
-
SSDEEP
12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCBWGvAbhGCPvkK3X1rGs2:uRmJkcoQricOIQxiZY1iaCBtvgvLdG9J
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2116 set thread context of 3056 2116 doc02417120024.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language doc02417120024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language doc02417120024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language doc02417120024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3056 RegSvcs.exe 3056 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2872 doc02417120024.exe 3728 doc02417120024.exe 2116 doc02417120024.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3056 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4796 2872 doc02417120024.exe 82 PID 2872 wrote to memory of 4796 2872 doc02417120024.exe 82 PID 2872 wrote to memory of 4796 2872 doc02417120024.exe 82 PID 2872 wrote to memory of 3728 2872 doc02417120024.exe 83 PID 2872 wrote to memory of 3728 2872 doc02417120024.exe 83 PID 2872 wrote to memory of 3728 2872 doc02417120024.exe 83 PID 3728 wrote to memory of 516 3728 doc02417120024.exe 84 PID 3728 wrote to memory of 516 3728 doc02417120024.exe 84 PID 3728 wrote to memory of 516 3728 doc02417120024.exe 84 PID 3728 wrote to memory of 2116 3728 doc02417120024.exe 85 PID 3728 wrote to memory of 2116 3728 doc02417120024.exe 85 PID 3728 wrote to memory of 2116 3728 doc02417120024.exe 85 PID 2116 wrote to memory of 3056 2116 doc02417120024.exe 86 PID 2116 wrote to memory of 3056 2116 doc02417120024.exe 86 PID 2116 wrote to memory of 3056 2116 doc02417120024.exe 86 PID 2116 wrote to memory of 3056 2116 doc02417120024.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"2⤵PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"3⤵PID:516
-
-
C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD52d4142656f20e40ebcbb93ce8e567a0d
SHA113f8557b225fa9d6ebb32ee4df65e13ed11c602a
SHA2561e73812a841938226b643b351f2681fa7c97a1cfe7e24d2a5e54aa43bb822ec6
SHA512331d89c906c088216494162e896a79c80b7983861970a5c803dfcffb13e3826014b4c84b08333cfa4ac64e7a031632e7d3950acae800498acdff5d1097375acb