Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 14:13 UTC

General

  • Target

    5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe

  • Size

    1.2MB

  • MD5

    fe5175560342c0936f33072bc5f125c2

  • SHA1

    12f3bb5a0822e8317cf0444a215322f5bed9e6dd

  • SHA256

    5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b

  • SHA512

    8ae02d9e6e44db218f99e84b6b945d228646ea4bb5e1dae5621d03f1a09a043e729723dbb1ee463a4ce15507d1cd21f30f64ebd1a09ef4266fa770fd78c0960d

  • SSDEEP

    24576:di4FmmfgFuk/3OtOZHcgxW7NbQkGt4ST69cv20euBXaXlSJitbxSrYFnDzh/hvEe:di4FmmfgUk/etOZHcgY7NbQkGqST69w+

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 3 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Executes dropped EXE 7 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe
    "C:\Users\Admin\AppData\Local\Temp\5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Users\Admin\AppData\Local\Temp\xqhfr.exe
      "C:\Users\Admin\AppData\Local\Temp\xqhfr.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        C:\Users\Admin\AppData\Local\Temp\\cvtres.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
          "C:\Users\Admin\AppData\Local\Temp\cvtres.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1928
          • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
            "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
            5⤵
            • Executes dropped EXE
            PID:5028
          • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
            "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3476
          • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
            "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook accounts
            PID:428
      • C:\Users\Admin\AppData\Local\Temp\WzK.exe
        "C:\Users\Admin\AppData\Local\Temp\WzK.exe"
        3⤵
        • Executes dropped EXE
        PID:4376
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1556
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1172
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x508 0x4f4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4500

Network

  • flag-unknown
    DNS
    bojku0.get24.org
    cvtres.exe
    Remote address:
    8.8.8.8:53
    Request
    bojku0.get24.org
    IN A
    Response
  • 20.44.10.122:443
    322 B
    7
  • 8.238.21.126:80
    322 B
    7
  • 8.238.21.126:80
    322 B
    7
  • 8.238.21.126:80
    322 B
    7
  • 8.8.8.8:53
    bojku0.get24.org
    dns
    cvtres.exe
    62 B
    124 B
    1
    1

    DNS Request

    bojku0.get24.org

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WzK.exe

    Filesize

    255KB

    MD5

    8f064640da380d34a0485de34d03388c

    SHA1

    488e5da5a955aaed1848c026ced220b0fbeb1190

    SHA256

    b158a4635a85827f3d78a9c26c6ad9a0bc3126f4cf6329c2fdd039ed9fa71356

    SHA512

    34cee8a5741bfe23e6909398c7e12cdfd926de46afcd984ddba32936639686a61320622adc45d0c3be549ed0d6385d2954377a5ae36099998cb176313f438157

  • C:\Users\Admin\AppData\Local\Temp\WzK.exe

    Filesize

    255KB

    MD5

    8f064640da380d34a0485de34d03388c

    SHA1

    488e5da5a955aaed1848c026ced220b0fbeb1190

    SHA256

    b158a4635a85827f3d78a9c26c6ad9a0bc3126f4cf6329c2fdd039ed9fa71356

    SHA512

    34cee8a5741bfe23e6909398c7e12cdfd926de46afcd984ddba32936639686a61320622adc45d0c3be549ed0d6385d2954377a5ae36099998cb176313f438157

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\xqhfr.exe

    Filesize

    818KB

    MD5

    259d1c6bd3ae9af95fbb0a0f73f0c8e2

    SHA1

    c5892add06d8c3de974f37ff1055ec2a7cea284a

    SHA256

    421ed289a2696c3e4233234a9d8cf48537295b9158d27dbc8ff304c8a9d7e2ba

    SHA512

    552a7a18ad42374edfde4e002afcdc139781445f3cf448fd7b72125bd43695a4e381339c25d98eec558ebfaf40a3ce80fdb017df72b2d73df5a5c8e0b1203409

  • C:\Users\Admin\AppData\Local\Temp\xqhfr.exe

    Filesize

    818KB

    MD5

    259d1c6bd3ae9af95fbb0a0f73f0c8e2

    SHA1

    c5892add06d8c3de974f37ff1055ec2a7cea284a

    SHA256

    421ed289a2696c3e4233234a9d8cf48537295b9158d27dbc8ff304c8a9d7e2ba

    SHA512

    552a7a18ad42374edfde4e002afcdc139781445f3cf448fd7b72125bd43695a4e381339c25d98eec558ebfaf40a3ce80fdb017df72b2d73df5a5c8e0b1203409

  • memory/428-178-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/428-168-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/428-176-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/428-174-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1928-151-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1928-167-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1928-154-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1928-173-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1928-153-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/3476-160-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3476-175-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3476-166-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3476-170-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3768-150-0x0000000074F40000-0x00000000754F1000-memory.dmp

    Filesize

    5.7MB

  • memory/3768-136-0x0000000074F40000-0x00000000754F1000-memory.dmp

    Filesize

    5.7MB

  • memory/4264-179-0x0000000074F40000-0x00000000754F1000-memory.dmp

    Filesize

    5.7MB

  • memory/4264-132-0x0000000074F40000-0x00000000754F1000-memory.dmp

    Filesize

    5.7MB

  • memory/4264-164-0x0000000074F40000-0x00000000754F1000-memory.dmp

    Filesize

    5.7MB

  • memory/4816-143-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/4816-139-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/4816-180-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/5028-161-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/5028-177-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/5028-156-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.