Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
197s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
26/11/2022, 14:42
General
-
Target
f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe
-
Size
488KB
-
MD5
e0968638796261d3bd533c7f452095c0
-
SHA1
60b9e96a5d6e5cbf71a01e0530b89115f051a960
-
SHA256
f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
-
SHA512
e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
SSDEEP
12288:Y+j2RX5IOHj2XY0uo7vKzB1/xmXke2ovXtf0RS2w3CD9:Y+jS5IOD2I0h7v0B1/Wke2atf0ZwyD
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 10 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
-
Nirsoft 3 IoCs
-
Executes dropped EXE 14 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 14 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe"C:\Users\Admin\AppData\Local\Temp\f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\TQpDx0GjNE.ini"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\hWog751Z2h.ini"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 4688 -proc 4688 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"6⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\zS1sOXBO1M.ini"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 4368 -proc 4368 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408B
MD52d362531e18207d8e72a10ba27f12ca2
SHA142a3de9849915d1d25da086026dff1952d39ae3b
SHA256cf39cec2d65bcda74a7d8a7cb889455d9a7348f6a25180afb6f5121bafb8c56a
SHA512a36f09f1e957fcf4c8804c7a9328176ff19badd935c8bf1313e5d59e71e503a160b93052b23e19733b791b5e9f5282d6b498f8e2973ef8f7a303e38b22a64355
-
Filesize
408B
MD52d362531e18207d8e72a10ba27f12ca2
SHA142a3de9849915d1d25da086026dff1952d39ae3b
SHA256cf39cec2d65bcda74a7d8a7cb889455d9a7348f6a25180afb6f5121bafb8c56a
SHA512a36f09f1e957fcf4c8804c7a9328176ff19badd935c8bf1313e5d59e71e503a160b93052b23e19733b791b5e9f5282d6b498f8e2973ef8f7a303e38b22a64355
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
257B
MD59a99fdc6c8686c32ff82fa67d7b855e3
SHA1e1d24587143f301a927a406b4e28621c3e65fb7a
SHA2568b8d049ee2959b0fea05fd867a8529e88d99f325518167ee11d0c18be979eb22
SHA512b6503941b8ef81cc87634bdff81aadf1ce959ae32c1f491da49d67d542984326ca0c4ad818434c4399821995609992047e5d25325031640f6280b13da6ee1165
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
336KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
336KB
-
Filesize
16.6MB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
336KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB