Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
48s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 11:18
Static task
static1
Behavioral task
behavioral1
Sample
73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe
Resource
win10v2004-20220812-en
General
-
Target
73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe
-
Size
361KB
-
MD5
fcfac837f8bc438090055bf1c8adc675
-
SHA1
f5df70e8ce133dd393881e4905b9aec4347e1ee6
-
SHA256
73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413
-
SHA512
85e4bde9605032a0809cb3e4f9109d0e5f46fac51ed92302a9623b254b00c484a77f588e90a74f014f553d426e4b25fca1bd365c28c39557364cc7f6b39737c9
-
SSDEEP
6144:pkU1ampKEpqs2WSH8EP6BEWCdrYnP9B2ZxrLTVoKYMvRAS5zz+Tv1:p3KEUs2WZKYP2DnTyZMvRLl
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 5 IoCs
resource yara_rule behavioral1/memory/856-60-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/856-62-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/856-63-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/856-72-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/856-75-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2004 set thread context of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 856 set thread context of 1236 856 RegAsm.exe 29 PID 856 set thread context of 1896 856 RegAsm.exe 30 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 856 RegAsm.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 2004 wrote to memory of 856 2004 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe 28 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1236 856 RegAsm.exe 29 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30 PID 856 wrote to memory of 1896 856 RegAsm.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe"C:\Users\Admin\AppData\Local\Temp\73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe/scomma "C:\Users\Admin\AppData\Local\Temp\6Unv6nHTfo.ini"3⤵PID:1236
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe/scomma "C:\Users\Admin\AppData\Local\Temp\sj4CZdVisL.ini"3⤵PID:1896
-
-