Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 14:13

General

  • Target

    5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe

  • Size

    1.2MB

  • MD5

    fe5175560342c0936f33072bc5f125c2

  • SHA1

    12f3bb5a0822e8317cf0444a215322f5bed9e6dd

  • SHA256

    5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b

  • SHA512

    8ae02d9e6e44db218f99e84b6b945d228646ea4bb5e1dae5621d03f1a09a043e729723dbb1ee463a4ce15507d1cd21f30f64ebd1a09ef4266fa770fd78c0960d

  • SSDEEP

    24576:di4FmmfgFuk/3OtOZHcgxW7NbQkGt4ST69cv20euBXaXlSJitbxSrYFnDzh/hvEe:di4FmmfgUk/etOZHcgY7NbQkGqST69w+

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 3 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Executes dropped EXE 7 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe
    "C:\Users\Admin\AppData\Local\Temp\5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Users\Admin\AppData\Local\Temp\xqhfr.exe
      "C:\Users\Admin\AppData\Local\Temp\xqhfr.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        C:\Users\Admin\AppData\Local\Temp\\cvtres.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
          "C:\Users\Admin\AppData\Local\Temp\cvtres.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1928
          • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
            "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
            5⤵
            • Executes dropped EXE
            PID:5028
          • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
            "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3476
          • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
            "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook accounts
            PID:428
      • C:\Users\Admin\AppData\Local\Temp\WzK.exe
        "C:\Users\Admin\AppData\Local\Temp\WzK.exe"
        3⤵
        • Executes dropped EXE
        PID:4376
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1556
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1172
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x508 0x4f4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WzK.exe

    Filesize

    255KB

    MD5

    8f064640da380d34a0485de34d03388c

    SHA1

    488e5da5a955aaed1848c026ced220b0fbeb1190

    SHA256

    b158a4635a85827f3d78a9c26c6ad9a0bc3126f4cf6329c2fdd039ed9fa71356

    SHA512

    34cee8a5741bfe23e6909398c7e12cdfd926de46afcd984ddba32936639686a61320622adc45d0c3be549ed0d6385d2954377a5ae36099998cb176313f438157

  • C:\Users\Admin\AppData\Local\Temp\WzK.exe

    Filesize

    255KB

    MD5

    8f064640da380d34a0485de34d03388c

    SHA1

    488e5da5a955aaed1848c026ced220b0fbeb1190

    SHA256

    b158a4635a85827f3d78a9c26c6ad9a0bc3126f4cf6329c2fdd039ed9fa71356

    SHA512

    34cee8a5741bfe23e6909398c7e12cdfd926de46afcd984ddba32936639686a61320622adc45d0c3be549ed0d6385d2954377a5ae36099998cb176313f438157

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\xqhfr.exe

    Filesize

    818KB

    MD5

    259d1c6bd3ae9af95fbb0a0f73f0c8e2

    SHA1

    c5892add06d8c3de974f37ff1055ec2a7cea284a

    SHA256

    421ed289a2696c3e4233234a9d8cf48537295b9158d27dbc8ff304c8a9d7e2ba

    SHA512

    552a7a18ad42374edfde4e002afcdc139781445f3cf448fd7b72125bd43695a4e381339c25d98eec558ebfaf40a3ce80fdb017df72b2d73df5a5c8e0b1203409

  • C:\Users\Admin\AppData\Local\Temp\xqhfr.exe

    Filesize

    818KB

    MD5

    259d1c6bd3ae9af95fbb0a0f73f0c8e2

    SHA1

    c5892add06d8c3de974f37ff1055ec2a7cea284a

    SHA256

    421ed289a2696c3e4233234a9d8cf48537295b9158d27dbc8ff304c8a9d7e2ba

    SHA512

    552a7a18ad42374edfde4e002afcdc139781445f3cf448fd7b72125bd43695a4e381339c25d98eec558ebfaf40a3ce80fdb017df72b2d73df5a5c8e0b1203409

  • memory/428-178-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/428-168-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/428-176-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/428-174-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1928-151-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1928-167-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1928-154-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1928-173-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1928-153-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/3476-160-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3476-175-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3476-166-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3476-170-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3768-150-0x0000000074F40000-0x00000000754F1000-memory.dmp

    Filesize

    5.7MB

  • memory/3768-136-0x0000000074F40000-0x00000000754F1000-memory.dmp

    Filesize

    5.7MB

  • memory/4264-179-0x0000000074F40000-0x00000000754F1000-memory.dmp

    Filesize

    5.7MB

  • memory/4264-132-0x0000000074F40000-0x00000000754F1000-memory.dmp

    Filesize

    5.7MB

  • memory/4264-164-0x0000000074F40000-0x00000000754F1000-memory.dmp

    Filesize

    5.7MB

  • memory/4816-143-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/4816-139-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/4816-180-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/5028-161-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/5028-177-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/5028-156-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB