Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe
Resource
win10v2004-20220812-en
General
-
Target
56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe
-
Size
536KB
-
MD5
dcf1d09fadd3f5a019fe454bfb5421d4
-
SHA1
a9a16c7f7c1c5e6d30a5b18625874fae136a1ba3
-
SHA256
56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817
-
SHA512
e4d90fae0d1017052c05b44da9e42c6f323e01aaf3f650e8ff07cb9d352766a70910d77f88ef1e509f0dc9e615caabbeedc430e16e79286145059bc219860509
-
SSDEEP
12288:PvwVa5L9B/S5cCo4GgKUX/QgIVlFMPxC15J:Xw4lXCo4JnclFixC15
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 4 IoCs
resource yara_rule behavioral2/files/0x000b00000002171d-136.dat family_isrstealer behavioral2/files/0x000b00000002171d-137.dat family_isrstealer behavioral2/files/0x000b00000002171d-146.dat family_isrstealer behavioral2/files/0x000b00000002171d-152.dat family_isrstealer -
Executes dropped EXE 3 IoCs
pid Process 524 Server.exe 5108 Server.exe 4092 Server.exe -
resource yara_rule behavioral2/memory/5108-145-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/5108-148-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4092-151-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4092-154-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/5108-155-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4092-156-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 524 set thread context of 5108 524 Server.exe 83 PID 524 set thread context of 4092 524 Server.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 3848 1364 WerFault.exe 82 3304 4092 WerFault.exe 85 1772 5108 WerFault.exe 83 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 524 Server.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1944 wrote to memory of 524 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 81 PID 1944 wrote to memory of 524 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 81 PID 1944 wrote to memory of 524 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 81 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 1944 wrote to memory of 1364 1944 56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe 82 PID 524 wrote to memory of 5108 524 Server.exe 83 PID 524 wrote to memory of 5108 524 Server.exe 83 PID 524 wrote to memory of 5108 524 Server.exe 83 PID 524 wrote to memory of 5108 524 Server.exe 83 PID 524 wrote to memory of 5108 524 Server.exe 83 PID 524 wrote to memory of 5108 524 Server.exe 83 PID 524 wrote to memory of 5108 524 Server.exe 83 PID 524 wrote to memory of 5108 524 Server.exe 83 PID 524 wrote to memory of 4092 524 Server.exe 85 PID 524 wrote to memory of 4092 524 Server.exe 85 PID 524 wrote to memory of 4092 524 Server.exe 85 PID 524 wrote to memory of 4092 524 Server.exe 85 PID 524 wrote to memory of 4092 524 Server.exe 85 PID 524 wrote to memory of 4092 524 Server.exe 85 PID 524 wrote to memory of 4092 524 Server.exe 85 PID 524 wrote to memory of 4092 524 Server.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe"C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Local\Temp\Server.exe/scomma "C:\Users\Admin\AppData\Local\Temp\rHDDZQECla.ini"3⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 4564⤵
- Program crash
PID:1772
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe/scomma "C:\Users\Admin\AppData\Local\Temp\hrsIpEdYg3.ini"3⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 4764⤵
- Program crash
PID:3304
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe"C:\Users\Admin\AppData\Local\Temp\56d675b94ed40dcb422a2456ad30f60256b5dda9f1e20bc519bd58abd25ad817.exe"2⤵PID:1364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 3043⤵
- Program crash
PID:3848
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1364 -ip 13641⤵PID:3904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5108 -ip 51081⤵PID:3296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4092 -ip 40921⤵PID:1116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a
-
Filesize
260KB
MD5c7ef8d606bd77b572cafac7dd5ca3182
SHA15833675c484816f7da120f58e4476afba4975d66
SHA2567a23077dbcc1310c135d32cb442bdac8cc2befbd3ab43a757e4c4ddd0641c398
SHA5126087caa54bd79c463dfed45f67ef81d5535ad9362a48088e149a244f720e83a0464ebc72ef7706e10355b68d852c53b5db7a05d01c730012901eb3024982946a