Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
20/11/2022, 10:48
General
-
Target
f7326a75d34f61448c295c69b18f70e4a6b61cb1309216da3d76c1860067ae6c.exe
-
Size
388KB
-
MD5
c0a89cca7440553df0f7f6f512fe6155
-
SHA1
d436f20942c482244e591b0fd96a73807e2e3c0a
-
SHA256
f7326a75d34f61448c295c69b18f70e4a6b61cb1309216da3d76c1860067ae6c
-
SHA512
4b5b13dd8231364d6deee2e730c1d02617a85e2d5dec51de5f1613e2f95c6800aed09e9b17209a9d5b5159bbe47b26875d98fe48fa724ec6667eb0ee5a31ca7a
-
SSDEEP
6144:qLurmZyXaw3bQ/4ugAT4auUZmbW+503i/nIr:7yMX54bluUgHU
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 7 IoCs
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
-
Nirsoft 3 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7326a75d34f61448c295c69b18f70e4a6b61cb1309216da3d76c1860067ae6c.exe"C:\Users\Admin\AppData\Local\Temp\f7326a75d34f61448c295c69b18f70e4a6b61cb1309216da3d76c1860067ae6c.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\Nlg70ewrQc.ini"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\STOcEvyQSd.ini"3⤵
- Accesses Microsoft Outlook accounts
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\SfZhShdJYr.ini"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\iwEKNkjOmt.ini"5⤵
- Accesses Microsoft Outlook accounts
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD549ca8fd63be87d106c15e4d4465bb350
SHA17511cbed1bd25b36405ce899569357d6bdbde28b
SHA25638470dd31a31e03d5cec33057b0fef074ee125965ddbee31988d05d9ce818d46
SHA5122032a2efa7e520139742b73ca126618f77294ddff2bfbc439eea2a0f3d87eea51d59ffbfb9d39041e675aa673cf41bde68a03ac50f4a89e471bbf0e995e3a7e7
-
Filesize
1KB
MD5410bc191ea3fca420537878555030ad9
SHA146dd3dbce7344b8c1439963d67d8e20b97f56eca
SHA2562d4b3e5e604859be429efa83d4e442c4b884462810d136b0dbc6228980eb7fe6
SHA51265763a99ce64bfe78ffdb92331192eee7e5b6c2ff365c6c89e2a37f59012074bdcac3e806e503fd7650ee29d5985ec05ae90b614b515c268c4a2a0c0088c8b1a
-
Filesize
472B
MD5095cb3cc728bce81930de9e3e65cb9e7
SHA11835992ec35c7e60b803485c91949f80318b671b
SHA256d86afa72ee5b220e4ca267a82e22a68e953ead9cecde34fc60a09dcc95a2457f
SHA512b1f40cbcb4a819d7c2ec2a77895ba536bc3bced09248c0255ec2aa47a15a43490e9cbac9a71dd4e621a926c74acd977c114ff56bf1e5e1afe9bb46a65feb336a
-
Filesize
488B
MD5089c3737bc46a5d427996da04b7835ab
SHA1270e7ba4d7ce85b84325629acc25aed501a75f2a
SHA256bae4da193e89761b5a90b1116a2fc8f3f74bfb678d8c4ed906461b4e5accb965
SHA5123f5807cca4ed689aa7009bceb280822cae3832518a47046b5ba45e575a304016f2ff594e0209c6e66c3eb7cd4847867452dd86affa0e5d21363d9b866193f4d8
-
Filesize
482B
MD55497f78c58f19363b07e507dedfe3a1b
SHA10539901ff449cb2699796d3d365f014e876ceedd
SHA2566d489037ef6e738ddd9e06f6cc35d230982ba8f2bf9c9fd6a69ee256f1f9d656
SHA5127916ba357a582d598a4fcd20dcbf03831b00a75ad81ce4891b0e075b4fe43414350327718d817e5b96cea7b1502162db8279e70d4f280b303318c21496bafa67
-
Filesize
484B
MD575ca97e3de87d0f9f0afd504cdb7f654
SHA1dc2867750b99f044eabb1f415ef0b74ea5819d60
SHA256b91347229743037e6d0548ea7d0c40b08183954cb7785926bb30925aec67dabf
SHA51251dfd99fefcbe5462e285c3a8206617e15d32cf59746ccd0759093897f4fdb7d69dc58253f7d8838ddc1f96942ea74ff84c43b48c5c8b437d4351d9389f0de44
-
Filesize
162B
MD54f8e702cc244ec5d4de32740c0ecbd97
SHA13adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA2569e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA51221047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
388KB
MD5c0a89cca7440553df0f7f6f512fe6155
SHA1d436f20942c482244e591b0fd96a73807e2e3c0a
SHA256f7326a75d34f61448c295c69b18f70e4a6b61cb1309216da3d76c1860067ae6c
SHA5124b5b13dd8231364d6deee2e730c1d02617a85e2d5dec51de5f1613e2f95c6800aed09e9b17209a9d5b5159bbe47b26875d98fe48fa724ec6667eb0ee5a31ca7a
-
Filesize
388KB
MD5c0a89cca7440553df0f7f6f512fe6155
SHA1d436f20942c482244e591b0fd96a73807e2e3c0a
SHA256f7326a75d34f61448c295c69b18f70e4a6b61cb1309216da3d76c1860067ae6c
SHA5124b5b13dd8231364d6deee2e730c1d02617a85e2d5dec51de5f1613e2f95c6800aed09e9b17209a9d5b5159bbe47b26875d98fe48fa724ec6667eb0ee5a31ca7a
-
Filesize
9KB
MD56a52b1cbd6a9da69b28b0bd3ddf7b315
SHA1586b0645577b0a6a5b34a69dc8b024c40cc656b7
SHA2561d9bb51617c01fed2c9374ecb48292bc70c2829d67724621a32280850b090175
SHA51290b56bc30080acae049bb972e71634c906d96f19944f22284af5646fbc2b78ecdd74fb40469d110967fdb8cc5959e77851078e7ef72d2daacfe8c3d89739883e
-
Filesize
9KB
MD56a52b1cbd6a9da69b28b0bd3ddf7b315
SHA1586b0645577b0a6a5b34a69dc8b024c40cc656b7
SHA2561d9bb51617c01fed2c9374ecb48292bc70c2829d67724621a32280850b090175
SHA51290b56bc30080acae049bb972e71634c906d96f19944f22284af5646fbc2b78ecdd74fb40469d110967fdb8cc5959e77851078e7ef72d2daacfe8c3d89739883e
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
124KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
332KB
-
Filesize
332KB