Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
45s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe
Resource
win10v2004-20220812-en
General
-
Target
56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe
-
Size
536KB
-
MD5
dcf1d09fadd3f5a019fe454bfb5421d4
-
SHA1
a9a16c7f7c1c5e6d30a5b18625874fae136a1ba3
-
SHA256
56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817
-
SHA512
e4d90fae0d1017052c05b44da9e42c6f323e01aaf3f650e8ff07cb9d352766a70910d77f88ef1e509f0dc9e615caabbeedc430e16e79286145059bc219860509
-
SSDEEP
12288:PvwVa5L9B/S5cCo4GgKUX/QgIVlFMPxC15J:Xw4lXCo4JnclFixC15
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 22 IoCs
resource yara_rule behavioral1/files/0x000b000000012314-58.dat family_isrstealer behavioral1/files/0x000b000000012314-59.dat family_isrstealer behavioral1/files/0x000b000000012314-61.dat family_isrstealer behavioral1/files/0x000b000000012314-68.dat family_isrstealer behavioral1/files/0x000b000000012314-73.dat family_isrstealer behavioral1/files/0x000b000000012314-69.dat family_isrstealer behavioral1/files/0x000b000000012314-80.dat family_isrstealer behavioral1/files/0x000b000000012314-81.dat family_isrstealer behavioral1/files/0x000b000000012314-82.dat family_isrstealer behavioral1/files/0x000b000000012314-85.dat family_isrstealer behavioral1/files/0x000b000000012314-84.dat family_isrstealer behavioral1/files/0x000b000000012314-83.dat family_isrstealer behavioral1/files/0x000b000000012314-87.dat family_isrstealer behavioral1/files/0x000b000000012314-90.dat family_isrstealer behavioral1/files/0x000b000000012314-95.dat family_isrstealer behavioral1/files/0x000b000000012314-100.dat family_isrstealer behavioral1/files/0x000b000000012314-99.dat family_isrstealer behavioral1/files/0x000b000000012314-98.dat family_isrstealer behavioral1/files/0x000b000000012314-97.dat family_isrstealer behavioral1/files/0x000b000000012314-96.dat family_isrstealer behavioral1/files/0x000b000000012314-102.dat family_isrstealer behavioral1/files/0x000b000000012314-101.dat family_isrstealer -
Executes dropped EXE 3 IoCs
pid Process 1168 Server.exe 468 Server.exe 1572 Server.exe -
resource yara_rule behavioral1/memory/468-76-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/468-70-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/468-78-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/468-86-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1572-88-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1572-93-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1572-103-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Loads dropped DLL 18 IoCs
pid Process 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 1168 Server.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1168 Server.exe 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe 1532 WerFault.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1168 set thread context of 468 1168 Server.exe 30 PID 1168 set thread context of 1572 1168 Server.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 1788 1044 WerFault.exe 29 1532 468 WerFault.exe 30 1328 1572 WerFault.exe 33 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 1168 Server.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1168 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 28 PID 1680 wrote to memory of 1168 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 28 PID 1680 wrote to memory of 1168 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 28 PID 1680 wrote to memory of 1168 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 28 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1680 wrote to memory of 1044 1680 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 29 PID 1168 wrote to memory of 468 1168 Server.exe 30 PID 1168 wrote to memory of 468 1168 Server.exe 30 PID 1168 wrote to memory of 468 1168 Server.exe 30 PID 1168 wrote to memory of 468 1168 Server.exe 30 PID 1168 wrote to memory of 468 1168 Server.exe 30 PID 1168 wrote to memory of 468 1168 Server.exe 30 PID 1168 wrote to memory of 468 1168 Server.exe 30 PID 1168 wrote to memory of 468 1168 Server.exe 30 PID 1168 wrote to memory of 468 1168 Server.exe 30 PID 1044 wrote to memory of 1788 1044 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 31 PID 1044 wrote to memory of 1788 1044 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 31 PID 1044 wrote to memory of 1788 1044 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 31 PID 1044 wrote to memory of 1788 1044 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 31 PID 468 wrote to memory of 1532 468 Server.exe 32 PID 468 wrote to memory of 1532 468 Server.exe 32 PID 468 wrote to memory of 1532 468 Server.exe 32 PID 468 wrote to memory of 1532 468 Server.exe 32 PID 1168 wrote to memory of 1572 1168 Server.exe 33 PID 1168 wrote to memory of 1572 1168 Server.exe 33 PID 1168 wrote to memory of 1572 1168 Server.exe 33 PID 1168 wrote to memory of 1572 1168 Server.exe 33 PID 1168 wrote to memory of 1572 1168 Server.exe 33 PID 1168 wrote to memory of 1572 1168 Server.exe 33 PID 1168 wrote to memory of 1572 1168 Server.exe 33 PID 1168 wrote to memory of 1572 1168 Server.exe 33 PID 1168 wrote to memory of 1572 1168 Server.exe 33 PID 1572 wrote to memory of 1328 1572 Server.exe 34 PID 1572 wrote to memory of 1328 1572 Server.exe 34 PID 1572 wrote to memory of 1328 1572 Server.exe 34 PID 1572 wrote to memory of 1328 1572 Server.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe"C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\Server.exe/scomma "C:\Users\Admin\AppData\Local\Temp\a3AfKqw7ri.ini"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1684⤵
- Loads dropped DLL
- Program crash
PID:1532
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe/scomma "C:\Users\Admin\AppData\Local\Temp\xm4uR6yhhj.ini"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1724⤵
- Loads dropped DLL
- Program crash
PID:1328
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe"C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 883⤵
- Program crash
PID:1788
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a