Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

4d9e8df04a...07.exe

windows7-x64

10

4d9e8df04a...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 08:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe

  • Size

    358KB

  • MD5

    5709c6a4da3cea082e45480ce2f97a60

  • SHA1

    6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

  • SHA256

    4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

  • SHA512

    5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

  • SSDEEP

    6144:XABPDbnTXGxIBtPr+wKVa10gJDfIiFIULcnw5KrTsioFaj0uCDHphVmMjX58:XABPDbTXGxIBZSwb1ZfZsrToF00uCDN5

Score
10/10
isrstealercollectionstealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 4 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Nirsoft 2 IoCs
  • Executes dropped EXE 5 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
    "C:\Users\Admin\AppData\Local\Temp\4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Users\Admin\AppData\Local\Temp\4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
      "C:\Users\Admin\AppData\Local\Temp\4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe"
      2⤵
        PID:3496
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4392
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2700
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4260
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\mBWK4LB8aG.ini"
              5⤵
              • Executes dropped EXE
              PID:1916
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 80
                6⤵
                • Program crash
                PID:4832
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\IuEeNg3yIY.ini"
              5⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook accounts
              PID:4368
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1916 -ip 1916
      1⤵
        PID:4048

      Network

      • flag-us
        DNS
        96.108.152.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        96.108.152.52.in-addr.arpa
        IN PTR
        Response
      • 52.109.13.62:443
        40 B
         1
      • 8.253.135.112:80
        322 B
         7
      • 8.253.135.112:80
        322 B
         7
      • 104.80.225.205:443
        322 B
         7
      • 20.189.173.4:443
        322 B
         7
      • 178.79.208.1:80
        322 B
         7
      • 178.79.208.1:80
        322 B
         7
      • 178.79.208.1:80
        322 B
         7
      • 8.8.8.8:53
        96.108.152.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        96.108.152.52.in-addr.arpa

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
        Filesize

        9KB

        MD5

        cd53082af28f46603b899c69fb8e449f

        SHA1

        d0034c9b7427cc0e045a5a5696870d988f96fbd1

        SHA256

        30ef28dbc8c9e308ae559d1bce7c4338c1c4d94ee3700bfe09dfc5b816bb5704

        SHA512

        cf62c72a417d2fb473fdc721b0c88d9cad8527d18658021af2ad825c8de1c1cb1544593aa4b1519f9a1d1401959efa21954cdb9065753a91922b520f96f5478e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
        Filesize

        9KB

        MD5

        cd53082af28f46603b899c69fb8e449f

        SHA1

        d0034c9b7427cc0e045a5a5696870d988f96fbd1

        SHA256

        30ef28dbc8c9e308ae559d1bce7c4338c1c4d94ee3700bfe09dfc5b816bb5704

        SHA512

        cf62c72a417d2fb473fdc721b0c88d9cad8527d18658021af2ad825c8de1c1cb1544593aa4b1519f9a1d1401959efa21954cdb9065753a91922b520f96f5478e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
        Filesize

        358KB

        MD5

        5709c6a4da3cea082e45480ce2f97a60

        SHA1

        6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

        SHA256

        4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

        SHA512

        5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
        Filesize

        358KB

        MD5

        5709c6a4da3cea082e45480ce2f97a60

        SHA1

        6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

        SHA256

        4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

        SHA512

        5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
        Filesize

        358KB

        MD5

        5709c6a4da3cea082e45480ce2f97a60

        SHA1

        6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

        SHA256

        4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

        SHA512

        5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
        Filesize

        358KB

        MD5

        5709c6a4da3cea082e45480ce2f97a60

        SHA1

        6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

        SHA256

        4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

        SHA512

        5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
        Filesize

        358KB

        MD5

        5709c6a4da3cea082e45480ce2f97a60

        SHA1

        6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

        SHA256

        4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

        SHA512

        5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

        Download Submit

      • memory/2700-148-0x0000000074F90000-0x0000000075541000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2700-146-0x0000000074F90000-0x0000000075541000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3496-136-0x0000000000780000-0x00000000007C2000-memory.dmp

        Filesize

        264KB

        Download

      • memory/4260-160-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/4260-168-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/4260-154-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/4368-167-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/4368-166-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/4368-165-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/4368-162-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/4392-142-0x0000000074F90000-0x0000000075541000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4392-141-0x0000000074F90000-0x0000000075541000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4392-147-0x0000000074F90000-0x0000000075541000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4948-132-0x0000000074F90000-0x0000000075541000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4948-133-0x0000000074F90000-0x0000000075541000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4948-149-0x0000000074F90000-0x0000000075541000-memory.dmp

        Filesize

        5.7MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.