Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2025, 08:10
Behavioral task
behavioral1
Sample
FGT9870009000.exe
Resource
win7-20240903-en
General
-
Target
FGT9870009000.exe
-
Size
758KB
-
MD5
2470914fd04c28516223c5414055b846
-
SHA1
fcfbc9fb662ecfb654292739da72817ccfbd721c
-
SHA256
996a678b9f2d2434c6da9452449c3f21aac4b5e15ba7ae8c0a5ecd429d287e35
-
SHA512
956f49c92c6b84398036e3c50323f20bf76a059b767835ee63d2b957004119aeaf45cd24c33c1ec415c5922cc8969d848a06a3ef2bf1998972a2f6bbbd98352a
-
SSDEEP
12288:v6Wq4aaE6KwyF5L0Y2D1PqLfIrJFq3w9i+6alvoD2FUfMM41jkw2m1eYHkDon5wk:tthEVaPqLfIFFq3h+640rSTkDs7n
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.antoniomayol.com:21 - Port:
21 - Username:
[email protected] - Password:
cMhKDQUk1{;%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hurtling.vbs hurtling.exe -
Executes dropped EXE 1 IoCs
pid Process 2748 hurtling.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4448-9-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/2748-13-0x0000000003CF0000-0x0000000003EF0000-memory.dmp autoit_exe behavioral2/memory/2748-17-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2748 set thread context of 1264 2748 hurtling.exe 83 -
resource yara_rule behavioral2/memory/4448-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/files/0x000a000000023b77-6.dat upx behavioral2/memory/4448-9-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/2748-17-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FGT9870009000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hurtling.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1264 RegSvcs.exe 1264 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2748 hurtling.exe 2748 hurtling.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1264 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4448 FGT9870009000.exe 4448 FGT9870009000.exe 2748 hurtling.exe 2748 hurtling.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 4448 FGT9870009000.exe 4448 FGT9870009000.exe 2748 hurtling.exe 2748 hurtling.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4448 wrote to memory of 2748 4448 FGT9870009000.exe 82 PID 4448 wrote to memory of 2748 4448 FGT9870009000.exe 82 PID 4448 wrote to memory of 2748 4448 FGT9870009000.exe 82 PID 2748 wrote to memory of 1264 2748 hurtling.exe 83 PID 2748 wrote to memory of 1264 2748 hurtling.exe 83 PID 2748 wrote to memory of 1264 2748 hurtling.exe 83 PID 2748 wrote to memory of 1264 2748 hurtling.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\FGT9870009000.exe"C:\Users\Admin\AppData\Local\Temp\FGT9870009000.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\parachronism\hurtling.exe"C:\Users\Admin\AppData\Local\Temp\FGT9870009000.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\FGT9870009000.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
758KB
MD52470914fd04c28516223c5414055b846
SHA1fcfbc9fb662ecfb654292739da72817ccfbd721c
SHA256996a678b9f2d2434c6da9452449c3f21aac4b5e15ba7ae8c0a5ecd429d287e35
SHA512956f49c92c6b84398036e3c50323f20bf76a059b767835ee63d2b957004119aeaf45cd24c33c1ec415c5922cc8969d848a06a3ef2bf1998972a2f6bbbd98352a