Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
239s -
max time network
336s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28/11/2022, 11:15
Behavioral task
behavioral1
Sample
0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
Resource
win10v2004-20221111-en
General
-
Target
0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
-
Size
552KB
-
MD5
71ee4719874a577f4aacabe52668f341
-
SHA1
4e61f9699f3ff32871b493fcda3ee134d681a64a
-
SHA256
0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6
-
SHA512
147fd4618892c26ae9d00bee91416e3697b7e656cba21bd5fdd168e23026f7db70cfd1eadf8957b690152e31ac852c67d80d829142a47b5ab0fc7fa4fdd2096b
-
SSDEEP
6144:DooqCevklyNpFiq+6sqjBkEs2P+avFpPK39pe58EJGGdYBZvd9OVqq65scTiK/Rd:D6ZkENWgtvrwpeaHgS/OVqqys5DYH
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 8 IoCs
resource yara_rule behavioral1/memory/896-62-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/896-59-0x0000000000130000-0x0000000000172000-memory.dmp family_isrstealer behavioral1/memory/896-63-0x0000000000130000-0x0000000000172000-memory.dmp family_isrstealer behavioral1/memory/1456-71-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/1456-78-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/864-89-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/1456-94-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1456-95-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 564 set thread context of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 set thread context of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 1456 set thread context of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 828 set thread context of 864 828 takshost.exe 32 PID 1456 set thread context of 0 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 828 takshost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe Token: SeDebugPrivilege 828 takshost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 896 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 28 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 564 wrote to memory of 1456 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 29 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 1456 wrote to memory of 1904 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 30 PID 564 wrote to memory of 828 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 31 PID 564 wrote to memory of 828 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 31 PID 564 wrote to memory of 828 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 31 PID 564 wrote to memory of 828 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 31 PID 564 wrote to memory of 828 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 31 PID 564 wrote to memory of 828 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 31 PID 564 wrote to memory of 828 564 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe 31 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 828 wrote to memory of 864 828 takshost.exe 32 PID 1456 wrote to memory of 0 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe PID 1456 wrote to memory of 0 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe PID 1456 wrote to memory of 0 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe PID 1456 wrote to memory of 0 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe PID 1456 wrote to memory of 0 1456 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe"C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe"C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe"2⤵PID:896
-
-
C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe"C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe/scomma "C:\Users\Admin\AppData\Local\Temp\HWxeJxJpEC.ini"3⤵PID:1904
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵PID:864
-
-