Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
184s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 12:38
Behavioral task
behavioral1
Sample
ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe
Resource
win10v2004-20220812-en
General
-
Target
ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe
-
Size
1.1MB
-
MD5
647c5dde7a82629ee388904031bfa96b
-
SHA1
c73b8e712703e770d36b301fcf725fd0e6cb88f2
-
SHA256
ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66
-
SHA512
0bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a
-
SSDEEP
24576:QUKoN0bUxgGa/pfBHDb+y1LXPeCXuLKdsOT:TK1A6ze/KdX
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 8 IoCs
resource yara_rule behavioral2/memory/2348-132-0x0000000000400000-0x0000000000518000-memory.dmp family_isrstealer behavioral2/files/0x0006000000022e45-134.dat family_isrstealer behavioral2/files/0x0006000000022e45-135.dat family_isrstealer behavioral2/files/0x0006000000022e45-140.dat family_isrstealer behavioral2/files/0x0007000000022e3d-149.dat family_isrstealer behavioral2/files/0x0007000000022e3d-150.dat family_isrstealer behavioral2/memory/2348-151-0x0000000000400000-0x0000000000518000-memory.dmp family_isrstealer behavioral2/memory/216-152-0x0000000000400000-0x0000000000518000-memory.dmp family_isrstealer -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\mssdcsc.exe" ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" mssdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mssdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe -
Executes dropped EXE 3 IoCs
pid Process 1060 ST.EXE 836 ST.EXE 216 mssdcsc.exe -
resource yara_rule behavioral2/memory/2348-132-0x0000000000400000-0x0000000000518000-memory.dmp upx behavioral2/memory/836-139-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/836-142-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/836-143-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/836-144-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/files/0x0007000000022e3d-149.dat upx behavioral2/files/0x0007000000022e3d-150.dat upx behavioral2/memory/2348-151-0x0000000000400000-0x0000000000518000-memory.dmp upx behavioral2/memory/216-152-0x0000000000400000-0x0000000000518000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mssdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\mssdcsc.exe" ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1060 set thread context of 836 1060 ST.EXE 80 PID 216 set thread context of 2332 216 mssdcsc.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3676 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2332 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeSecurityPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeTakeOwnershipPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeLoadDriverPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeSystemProfilePrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeSystemtimePrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeProfSingleProcessPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeIncBasePriorityPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeCreatePagefilePrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeBackupPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeRestorePrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeShutdownPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeDebugPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeSystemEnvironmentPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeChangeNotifyPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeRemoteShutdownPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeUndockPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeManageVolumePrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeImpersonatePrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeCreateGlobalPrivilege 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: 33 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: 34 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: 35 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: 36 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe Token: SeIncreaseQuotaPrivilege 216 mssdcsc.exe Token: SeSecurityPrivilege 216 mssdcsc.exe Token: SeTakeOwnershipPrivilege 216 mssdcsc.exe Token: SeLoadDriverPrivilege 216 mssdcsc.exe Token: SeSystemProfilePrivilege 216 mssdcsc.exe Token: SeSystemtimePrivilege 216 mssdcsc.exe Token: SeProfSingleProcessPrivilege 216 mssdcsc.exe Token: SeIncBasePriorityPrivilege 216 mssdcsc.exe Token: SeCreatePagefilePrivilege 216 mssdcsc.exe Token: SeBackupPrivilege 216 mssdcsc.exe Token: SeRestorePrivilege 216 mssdcsc.exe Token: SeShutdownPrivilege 216 mssdcsc.exe Token: SeDebugPrivilege 216 mssdcsc.exe Token: SeSystemEnvironmentPrivilege 216 mssdcsc.exe Token: SeChangeNotifyPrivilege 216 mssdcsc.exe Token: SeRemoteShutdownPrivilege 216 mssdcsc.exe Token: SeUndockPrivilege 216 mssdcsc.exe Token: SeManageVolumePrivilege 216 mssdcsc.exe Token: SeImpersonatePrivilege 216 mssdcsc.exe Token: SeCreateGlobalPrivilege 216 mssdcsc.exe Token: 33 216 mssdcsc.exe Token: 34 216 mssdcsc.exe Token: 35 216 mssdcsc.exe Token: 36 216 mssdcsc.exe Token: SeIncreaseQuotaPrivilege 2332 iexplore.exe Token: SeSecurityPrivilege 2332 iexplore.exe Token: SeTakeOwnershipPrivilege 2332 iexplore.exe Token: SeLoadDriverPrivilege 2332 iexplore.exe Token: SeSystemProfilePrivilege 2332 iexplore.exe Token: SeSystemtimePrivilege 2332 iexplore.exe Token: SeProfSingleProcessPrivilege 2332 iexplore.exe Token: SeIncBasePriorityPrivilege 2332 iexplore.exe Token: SeCreatePagefilePrivilege 2332 iexplore.exe Token: SeBackupPrivilege 2332 iexplore.exe Token: SeRestorePrivilege 2332 iexplore.exe Token: SeShutdownPrivilege 2332 iexplore.exe Token: SeDebugPrivilege 2332 iexplore.exe Token: SeSystemEnvironmentPrivilege 2332 iexplore.exe Token: SeChangeNotifyPrivilege 2332 iexplore.exe Token: SeRemoteShutdownPrivilege 2332 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1060 ST.EXE 2332 iexplore.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1060 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe 79 PID 2348 wrote to memory of 1060 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe 79 PID 2348 wrote to memory of 1060 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe 79 PID 1060 wrote to memory of 836 1060 ST.EXE 80 PID 1060 wrote to memory of 836 1060 ST.EXE 80 PID 1060 wrote to memory of 836 1060 ST.EXE 80 PID 1060 wrote to memory of 836 1060 ST.EXE 80 PID 1060 wrote to memory of 836 1060 ST.EXE 80 PID 1060 wrote to memory of 836 1060 ST.EXE 80 PID 1060 wrote to memory of 836 1060 ST.EXE 80 PID 1060 wrote to memory of 836 1060 ST.EXE 80 PID 2348 wrote to memory of 5116 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe 81 PID 2348 wrote to memory of 5116 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe 81 PID 2348 wrote to memory of 5116 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe 81 PID 5116 wrote to memory of 3676 5116 cmd.exe 83 PID 5116 wrote to memory of 3676 5116 cmd.exe 83 PID 5116 wrote to memory of 3676 5116 cmd.exe 83 PID 2348 wrote to memory of 216 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe 84 PID 2348 wrote to memory of 216 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe 84 PID 2348 wrote to memory of 216 2348 ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe 84 PID 216 wrote to memory of 2332 216 mssdcsc.exe 85 PID 216 wrote to memory of 2332 216 mssdcsc.exe 85 PID 216 wrote to memory of 2332 216 mssdcsc.exe 85 PID 216 wrote to memory of 2332 216 mssdcsc.exe 85 PID 216 wrote to memory of 2332 216 mssdcsc.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe"C:\Users\Admin\AppData\Local\Temp\ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\ST.EXE"C:\Users\Admin\AppData\Local\Temp\ST.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\ST.EXE/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"3⤵
- Executes dropped EXE
PID:836
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
PID:3676
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies security service
- Windows security bypass
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2332
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5647c5dde7a82629ee388904031bfa96b
SHA1c73b8e712703e770d36b301fcf725fd0e6cb88f2
SHA256ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66
SHA5120bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a
-
Filesize
1.1MB
MD5647c5dde7a82629ee388904031bfa96b
SHA1c73b8e712703e770d36b301fcf725fd0e6cb88f2
SHA256ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66
SHA5120bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a
-
Filesize
196KB
MD5dc5705be7750d65884d7635861f9cb7d
SHA198d13661de10e746c3abf2758a61f363168f3b09
SHA256413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f
SHA512daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf
-
Filesize
196KB
MD5dc5705be7750d65884d7635861f9cb7d
SHA198d13661de10e746c3abf2758a61f363168f3b09
SHA256413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f
SHA512daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf
-
Filesize
196KB
MD5dc5705be7750d65884d7635861f9cb7d
SHA198d13661de10e746c3abf2758a61f363168f3b09
SHA256413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f
SHA512daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3