Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24/11/2022, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe
Resource
win10v2004-20220812-en
General
-
Target
069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe
-
Size
1.2MB
-
MD5
122385771337be68407411abbb90c8ad
-
SHA1
8fdaa9b64239281ce74b5028a59d43d0551549c1
-
SHA256
069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3
-
SHA512
f8162ea96469fe4510172daa0d33c66e190f950d73d441895f1dcaf783866c385fba97509c5b4e0e81d77aea5aca5702dfbf42ef0bf85d75336e2036d2994c12
-
SSDEEP
24576:FIF6nnjqKoev8IgX9ERDoV4z+o25YV6HJfzag4D9vw9UpFTMZD6:FIojqKoevieRUeKYON4D9uULMZD6
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4972-152-0x0000000000400000-0x0000000000448000-memory.dmp family_isrstealer behavioral2/memory/4972-157-0x0000000000400000-0x0000000000448000-memory.dmp family_isrstealer behavioral2/memory/4972-161-0x0000000000400000-0x0000000000448000-memory.dmp family_isrstealer behavioral2/memory/4972-162-0x0000000000400000-0x0000000000448000-memory.dmp family_isrstealer -
Executes dropped EXE 1 IoCs
pid Process 964 QhuAqp.exe -
resource yara_rule behavioral2/memory/2040-139-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral2/memory/2040-141-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral2/memory/2040-142-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral2/memory/2040-145-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral2/memory/4972-149-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/4972-151-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/4972-152-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/4972-157-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/2040-160-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral2/memory/4972-161-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/4972-162-0x0000000000400000-0x0000000000448000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 964 set thread context of 2040 964 QhuAqp.exe 80 PID 2040 set thread context of 4972 2040 svchost.exe 81 PID 4972 set thread context of 1860 4972 svchost.exe 82 PID 4972 set thread context of 3300 4972 svchost.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4712 1860 WerFault.exe 82 912 3300 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 964 QhuAqp.exe 964 QhuAqp.exe 964 QhuAqp.exe 964 QhuAqp.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 964 QhuAqp.exe 964 QhuAqp.exe 964 QhuAqp.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 964 QhuAqp.exe 964 QhuAqp.exe 964 QhuAqp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2040 svchost.exe 4972 svchost.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 808 wrote to memory of 964 808 069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe 79 PID 808 wrote to memory of 964 808 069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe 79 PID 808 wrote to memory of 964 808 069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe 79 PID 964 wrote to memory of 2040 964 QhuAqp.exe 80 PID 964 wrote to memory of 2040 964 QhuAqp.exe 80 PID 964 wrote to memory of 2040 964 QhuAqp.exe 80 PID 964 wrote to memory of 2040 964 QhuAqp.exe 80 PID 964 wrote to memory of 2040 964 QhuAqp.exe 80 PID 964 wrote to memory of 2040 964 QhuAqp.exe 80 PID 964 wrote to memory of 2040 964 QhuAqp.exe 80 PID 964 wrote to memory of 2040 964 QhuAqp.exe 80 PID 2040 wrote to memory of 4972 2040 svchost.exe 81 PID 2040 wrote to memory of 4972 2040 svchost.exe 81 PID 2040 wrote to memory of 4972 2040 svchost.exe 81 PID 2040 wrote to memory of 4972 2040 svchost.exe 81 PID 2040 wrote to memory of 4972 2040 svchost.exe 81 PID 2040 wrote to memory of 4972 2040 svchost.exe 81 PID 2040 wrote to memory of 4972 2040 svchost.exe 81 PID 2040 wrote to memory of 4972 2040 svchost.exe 81 PID 4972 wrote to memory of 1860 4972 svchost.exe 82 PID 4972 wrote to memory of 1860 4972 svchost.exe 82 PID 4972 wrote to memory of 1860 4972 svchost.exe 82 PID 4972 wrote to memory of 1860 4972 svchost.exe 82 PID 4972 wrote to memory of 1860 4972 svchost.exe 82 PID 4972 wrote to memory of 1860 4972 svchost.exe 82 PID 4972 wrote to memory of 1860 4972 svchost.exe 82 PID 4972 wrote to memory of 1860 4972 svchost.exe 82 PID 4972 wrote to memory of 3300 4972 svchost.exe 86 PID 4972 wrote to memory of 3300 4972 svchost.exe 86 PID 4972 wrote to memory of 3300 4972 svchost.exe 86 PID 4972 wrote to memory of 3300 4972 svchost.exe 86 PID 4972 wrote to memory of 3300 4972 svchost.exe 86 PID 4972 wrote to memory of 3300 4972 svchost.exe 86 PID 4972 wrote to memory of 3300 4972 svchost.exe 86 PID 4972 wrote to memory of 3300 4972 svchost.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe"C:\Users\Admin\AppData\Local\Temp\069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe" "EPmfcM"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\svchost.exe/scomma "C:\Users\Admin\AppData\Local\Temp\yZSF9a2my5.ini"5⤵PID:1860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 206⤵
- Program crash
PID:4712
-
-
-
C:\Windows\SysWOW64\svchost.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ULstFJMTd2.ini"5⤵PID:3300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 846⤵
- Program crash
PID:912
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1860 -ip 18601⤵PID:4816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3300 -ip 33001⤵PID:4084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5c33972de451728010b789db71ca96ea2
SHA1ef76706b8b11e3ca38021ea16eae228b2d2266f1
SHA25638131c761147fb9520c835f21af120cc2d8dbb855cf9d50608941cc85bf3bc20
SHA512b84ef73aafc3c6e23d2aab693f3804ff42f488fc779889d0443df704f4462e20ac6d6101fd0ad6aa0da2a9666bf4b2d59b20a3b00453116d524a706fe568f67e
-
Filesize
102KB
MD5db2e369382ce29caf06f8a1fe2055d9c
SHA1a64694660758632d4733d83c15519e23c1c37bdd
SHA256f4b43f39c7f49489c6b6087951477be241af9977a9b65ea09ce0d88df91014b6
SHA5120e6c6d4da3c246f54830b23bd017cfff9412769e4f217a30b64a1fe096afe0fe138e479b15faa48bc09a47a4f42a5bd97476740a71f24b28567ffb5eebb67bca
-
Filesize
912KB
MD56a93a4071cc7c22628af40a4d872f49b
SHA1ba916e686aa0cae19ab907bdab94924ada92b5f4
SHA2568465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01
SHA5125a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd
-
Filesize
912KB
MD56a93a4071cc7c22628af40a4d872f49b
SHA1ba916e686aa0cae19ab907bdab94924ada92b5f4
SHA2568465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01
SHA5125a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd
-
Filesize
876KB
MD58f0fbb38e468f1c804b281ee7329690c
SHA1a215fc648bd7ee49976d28161f8b39aa34264738
SHA256b6fa531a4038ad200a69f6401243d928b80dbcd7bbc29d3accb4c21b7a3dc53f
SHA51268e96b836dda6f6c7934087034ec84c96396271c2bfba585b2296f4b30cc127561a75ffa07f1bd5444fdc87240f652daa9fc4d94d01e39a61f28d51baedba611
-
Filesize
102KB
MD5db2e369382ce29caf06f8a1fe2055d9c
SHA1a64694660758632d4733d83c15519e23c1c37bdd
SHA256f4b43f39c7f49489c6b6087951477be241af9977a9b65ea09ce0d88df91014b6
SHA5120e6c6d4da3c246f54830b23bd017cfff9412769e4f217a30b64a1fe096afe0fe138e479b15faa48bc09a47a4f42a5bd97476740a71f24b28567ffb5eebb67bca
-
Filesize
876KB
MD58f0fbb38e468f1c804b281ee7329690c
SHA1a215fc648bd7ee49976d28161f8b39aa34264738
SHA256b6fa531a4038ad200a69f6401243d928b80dbcd7bbc29d3accb4c21b7a3dc53f
SHA51268e96b836dda6f6c7934087034ec84c96396271c2bfba585b2296f4b30cc127561a75ffa07f1bd5444fdc87240f652daa9fc4d94d01e39a61f28d51baedba611