Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 14:13
Static task
static1
Behavioral task
behavioral1
Sample
5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe
Resource
win10v2004-20220812-en
General
-
Target
5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe
-
Size
1.2MB
-
MD5
fe5175560342c0936f33072bc5f125c2
-
SHA1
12f3bb5a0822e8317cf0444a215322f5bed9e6dd
-
SHA256
5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b
-
SHA512
8ae02d9e6e44db218f99e84b6b945d228646ea4bb5e1dae5621d03f1a09a043e729723dbb1ee463a4ce15507d1cd21f30f64ebd1a09ef4266fa770fd78c0960d
-
SSDEEP
24576:di4FmmfgFuk/3OtOZHcgxW7NbQkGt4ST69cv20euBXaXlSJitbxSrYFnDzh/hvEe:di4FmmfgUk/etOZHcgY7NbQkGqST69w+
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 3 IoCs
resource yara_rule behavioral2/memory/4816-139-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer behavioral2/memory/4816-143-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer behavioral2/memory/4816-180-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/428-176-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/428-178-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/5028-156-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/5028-161-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/5028-177-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/5028-156-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/5028-161-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/3476-170-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral2/memory/3476-175-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral2/memory/5028-177-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/428-176-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/428-178-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
Executes dropped EXE 7 IoCs
pid Process 3768 xqhfr.exe 4816 cvtres.exe 4376 WzK.exe 1928 cvtres.exe 5028 cvtres.exe 3476 cvtres.exe 428 cvtres.exe -
resource yara_rule behavioral2/memory/428-168-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3476-170-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3476-166-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3476-160-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3476-175-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/428-176-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/428-174-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/428-178-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation xqhfr.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cvtres.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3768 set thread context of 4816 3768 xqhfr.exe 82 PID 4816 set thread context of 1928 4816 cvtres.exe 84 PID 1928 set thread context of 5028 1928 cvtres.exe 85 PID 1928 set thread context of 3476 1928 cvtres.exe 86 PID 1928 set thread context of 428 1928 cvtres.exe 87 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3768 xqhfr.exe 3768 xqhfr.exe 4816 cvtres.exe 4816 cvtres.exe 4816 cvtres.exe 4816 cvtres.exe 4816 cvtres.exe 4816 cvtres.exe 4816 cvtres.exe 4816 cvtres.exe 3476 cvtres.exe 3476 cvtres.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4264 5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe Token: SeDebugPrivilege 3768 xqhfr.exe Token: SeRestorePrivilege 1172 dw20.exe Token: SeBackupPrivilege 1172 dw20.exe Token: SeBackupPrivilege 1172 dw20.exe Token: SeBackupPrivilege 1172 dw20.exe Token: SeBackupPrivilege 1172 dw20.exe Token: SeDebugPrivilege 3476 cvtres.exe Token: 33 4500 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4500 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4816 cvtres.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 4264 wrote to memory of 3768 4264 5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe 80 PID 4264 wrote to memory of 3768 4264 5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe 80 PID 4264 wrote to memory of 3768 4264 5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe 80 PID 4264 wrote to memory of 1172 4264 5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe 81 PID 4264 wrote to memory of 1172 4264 5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe 81 PID 4264 wrote to memory of 1172 4264 5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe 81 PID 3768 wrote to memory of 4816 3768 xqhfr.exe 82 PID 3768 wrote to memory of 4816 3768 xqhfr.exe 82 PID 3768 wrote to memory of 4816 3768 xqhfr.exe 82 PID 3768 wrote to memory of 4816 3768 xqhfr.exe 82 PID 3768 wrote to memory of 4816 3768 xqhfr.exe 82 PID 3768 wrote to memory of 4816 3768 xqhfr.exe 82 PID 3768 wrote to memory of 4816 3768 xqhfr.exe 82 PID 3768 wrote to memory of 4816 3768 xqhfr.exe 82 PID 3768 wrote to memory of 4376 3768 xqhfr.exe 83 PID 3768 wrote to memory of 4376 3768 xqhfr.exe 83 PID 3768 wrote to memory of 4376 3768 xqhfr.exe 83 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 4816 wrote to memory of 1928 4816 cvtres.exe 84 PID 1928 wrote to memory of 5028 1928 cvtres.exe 85 PID 1928 wrote to memory of 5028 1928 cvtres.exe 85 PID 1928 wrote to memory of 5028 1928 cvtres.exe 85 PID 1928 wrote to memory of 5028 1928 cvtres.exe 85 PID 1928 wrote to memory of 5028 1928 cvtres.exe 85 PID 1928 wrote to memory of 3476 1928 cvtres.exe 86 PID 1928 wrote to memory of 3476 1928 cvtres.exe 86 PID 1928 wrote to memory of 3476 1928 cvtres.exe 86 PID 1928 wrote to memory of 3476 1928 cvtres.exe 86 PID 1928 wrote to memory of 3476 1928 cvtres.exe 86 PID 1928 wrote to memory of 428 1928 cvtres.exe 87 PID 1928 wrote to memory of 428 1928 cvtres.exe 87 PID 1928 wrote to memory of 428 1928 cvtres.exe 87 PID 1928 wrote to memory of 428 1928 cvtres.exe 87 PID 1928 wrote to memory of 428 1928 cvtres.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe"C:\Users\Admin\AppData\Local\Temp\5b72ca62dd81f1419b3b7598c96160c19d124fe6ec657d0d35f55795a467e35b.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\xqhfr.exe"C:\Users\Admin\AppData\Local\Temp\xqhfr.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\cvtres.exeC:\Users\Admin\AppData\Local\Temp\\cvtres.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\cvtres.exe"C:\Users\Admin\AppData\Local\Temp\cvtres.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\cvtres.exe"C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp5⤵
- Executes dropped EXE
PID:5028
-
-
C:\Users\Admin\AppData\Local\Temp\cvtres.exe"C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\cvtres.exe"C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:428
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WzK.exe"C:\Users\Admin\AppData\Local\Temp\WzK.exe"3⤵
- Executes dropped EXE
PID:4376
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 15562⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x4f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD58f064640da380d34a0485de34d03388c
SHA1488e5da5a955aaed1848c026ced220b0fbeb1190
SHA256b158a4635a85827f3d78a9c26c6ad9a0bc3126f4cf6329c2fdd039ed9fa71356
SHA51234cee8a5741bfe23e6909398c7e12cdfd926de46afcd984ddba32936639686a61320622adc45d0c3be549ed0d6385d2954377a5ae36099998cb176313f438157
-
Filesize
255KB
MD58f064640da380d34a0485de34d03388c
SHA1488e5da5a955aaed1848c026ced220b0fbeb1190
SHA256b158a4635a85827f3d78a9c26c6ad9a0bc3126f4cf6329c2fdd039ed9fa71356
SHA51234cee8a5741bfe23e6909398c7e12cdfd926de46afcd984ddba32936639686a61320622adc45d0c3be549ed0d6385d2954377a5ae36099998cb176313f438157
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
818KB
MD5259d1c6bd3ae9af95fbb0a0f73f0c8e2
SHA1c5892add06d8c3de974f37ff1055ec2a7cea284a
SHA256421ed289a2696c3e4233234a9d8cf48537295b9158d27dbc8ff304c8a9d7e2ba
SHA512552a7a18ad42374edfde4e002afcdc139781445f3cf448fd7b72125bd43695a4e381339c25d98eec558ebfaf40a3ce80fdb017df72b2d73df5a5c8e0b1203409
-
Filesize
818KB
MD5259d1c6bd3ae9af95fbb0a0f73f0c8e2
SHA1c5892add06d8c3de974f37ff1055ec2a7cea284a
SHA256421ed289a2696c3e4233234a9d8cf48537295b9158d27dbc8ff304c8a9d7e2ba
SHA512552a7a18ad42374edfde4e002afcdc139781445f3cf448fd7b72125bd43695a4e381339c25d98eec558ebfaf40a3ce80fdb017df72b2d73df5a5c8e0b1203409