Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

56d675b94e...17.exe

windows7-x64

10

56d675b94e...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe

  • Size

    536KB

  • MD5

    dcf1d09fadd3f5a019fe454bfb5421d4

  • SHA1

    a9a16c7f7c1c5e6d30a5b18625874fae136a1ba3

  • SHA256

    56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817

  • SHA512

    e4d90fae0d1017052c05b44da9e42c6f323e01aaf3f650e8ff07cb9d352766a70910d77f88ef1e509f0dc9e615caabbeedc430e16e79286145059bc219860509

  • SSDEEP

    12288:PvwVa5L9B/S5cCo4GgKUX/QgIVlFMPxC15J:Xw4lXCo4JnclFixC15

Score
10/10
isrstealerstealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 4 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe
    "C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\rHDDZQECla.ini"
        3⤵
        • Executes dropped EXE
        PID:5108
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 456
          4⤵
          • Program crash
          PID:1772
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\hrsIpEdYg3.ini"
        3⤵
        • Executes dropped EXE
        PID:4092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 476
          4⤵
          • Program crash
          PID:3304
    • C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe
      "C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe"
      2⤵
        PID:1364
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 304
          3⤵
          • Program crash
          PID:3848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1364 -ip 1364
      1⤵
        PID:3904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5108 -ip 5108
        1⤵
          PID:3296
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4092 -ip 4092
          1⤵
            PID:1116

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Server.exe
            Filesize

            260KB

            MD5

            c7ef8d606bd77b572cafac7dd5ca3182

            SHA1

            5833675c484816f7da120f58e4476afba4975d66

            SHA256

            7a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398

            SHA512

            6087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Server.exe
            Filesize

            260KB

            MD5

            c7ef8d606bd77b572cafac7dd5ca3182

            SHA1

            5833675c484816f7da120f58e4476afba4975d66

            SHA256

            7a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398

            SHA512

            6087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Server.exe
            Filesize

            260KB

            MD5

            c7ef8d606bd77b572cafac7dd5ca3182

            SHA1

            5833675c484816f7da120f58e4476afba4975d66

            SHA256

            7a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398

            SHA512

            6087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Server.exe
            Filesize

            260KB

            MD5

            c7ef8d606bd77b572cafac7dd5ca3182

            SHA1

            5833675c484816f7da120f58e4476afba4975d66

            SHA256

            7a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398

            SHA512

            6087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a

            Download Submit

          • memory/1364-157-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/1364-141-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/1364-139-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/1364-149-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/1944-140-0x00000000007A0000-0x00000000007A6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/1944-134-0x00000000007A0000-0x00000000007A6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/4092-151-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/4092-154-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/4092-156-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/5108-148-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/5108-145-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/5108-155-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download