Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/11/2022, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe
Resource
win10v2004-20221111-en
General
-
Target
5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe
-
Size
1008KB
-
MD5
c8b0180a2c70e715a0dadaa90973543a
-
SHA1
a80187865a735580ceddb0f0d8dee79be10206ae
-
SHA256
5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7
-
SHA512
14d6592830722e0be9bbf5f8395a1effc1fa64d68b97a71e149e588f0c16fef4a9f141fe34c3e61cdf9c1f172b189f76a8c06566001ff35c929adade7dc4fb8d
-
SSDEEP
24576:gW6clRhnJG7oxHLqNcqjgAxl/Ze05uP2rQhv9jZFBbXfJ/:gW6GRFc7oxmNLjgAX/ZTDunFBbB
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 5 IoCs
resource yara_rule behavioral1/memory/1892-60-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1892-62-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1892-63-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/1892-73-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1892-79-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
resource yara_rule behavioral1/memory/944-67-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/944-71-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/944-74-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/944-75-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/944-76-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/944-77-0x0000000000400000-0x0000000000453000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2040 set thread context of 1892 2040 5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe 27 PID 1892 set thread context of 944 1892 vbc.exe 28 -
Program crash 1 IoCs
pid pid_target Process procid_target 1772 1892 WerFault.exe 27 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2040 5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1892 vbc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1892 2040 5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe 27 PID 2040 wrote to memory of 1892 2040 5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe 27 PID 2040 wrote to memory of 1892 2040 5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe 27 PID 2040 wrote to memory of 1892 2040 5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe 27 PID 2040 wrote to memory of 1892 2040 5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe 27 PID 2040 wrote to memory of 1892 2040 5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe 27 PID 2040 wrote to memory of 1892 2040 5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe 27 PID 2040 wrote to memory of 1892 2040 5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe 27 PID 1892 wrote to memory of 944 1892 vbc.exe 28 PID 1892 wrote to memory of 944 1892 vbc.exe 28 PID 1892 wrote to memory of 944 1892 vbc.exe 28 PID 1892 wrote to memory of 944 1892 vbc.exe 28 PID 1892 wrote to memory of 944 1892 vbc.exe 28 PID 1892 wrote to memory of 944 1892 vbc.exe 28 PID 1892 wrote to memory of 944 1892 vbc.exe 28 PID 1892 wrote to memory of 944 1892 vbc.exe 28 PID 1892 wrote to memory of 944 1892 vbc.exe 28 PID 1892 wrote to memory of 1772 1892 vbc.exe 29 PID 1892 wrote to memory of 1772 1892 vbc.exe 29 PID 1892 wrote to memory of 1772 1892 vbc.exe 29 PID 1892 wrote to memory of 1772 1892 vbc.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe"C:\Users\Admin\AppData\Local\Temp\5adf2984baa91b53d1c812a86de9ff547770fbdcf24c37655a5c1419b2f90fa7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\c6RXe3jQto.ini"3⤵PID:944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 2883⤵
- Program crash
PID:1772
-
-