Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    160s
  • max time network
    201s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 07:41 UTC

General

  • Target

    7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe

  • Size

    7.4MB

  • MD5

    042d8f91b6cf63017646706b74561b27

  • SHA1

    4bfe69b43b1bfe28702a7ef44cc68127b0b5ae05

  • SHA256

    7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474

  • SHA512

    73f68f192ec224a138da103eabb0c885b3a07bfb0bd4f5f5774d1294d614535ffefa58d404c1e9b1e0e9268456a198b81b79008b5dcefdfcd12c1c228e186b92

  • SSDEEP

    196608:pAnqVdHABvooPl0+cTY3tZLJejmOAWx1AtdmCimv/SHqUUHv/Swv/SW45qUUpcQE:+wQ5N0+mYZ1itLAdWm8q/Hz5aq/RC7p

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 3 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Executes dropped EXE 5 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe
    "C:\Users\Admin\AppData\Local\Temp\7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      C:\Users\Admin\AppData\Local\Temp\\cvtres.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        "C:\Users\Admin\AppData\Local\Temp\cvtres.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
          "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
          4⤵
          • Executes dropped EXE
          PID:3996
        • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
          "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3960
        • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
          "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          PID:372

Network

  • flag-unknown
    DNS
    bojku0.get24.org
    cvtres.exe
    Remote address:
    8.8.8.8:53
    Request
    bojku0.get24.org
    IN A
    Response
  • 93.184.221.240:80
    156 B
    3
  • 52.109.13.63:443
    40 B
    1
  • 93.184.221.240:80
    260 B
    5
  • 93.184.221.240:80
    46 B
    40 B
    1
    1
  • 93.184.220.29:80
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 93.184.221.240:80
    260 B
    5
  • 13.69.239.73:443
    322 B
    7
  • 93.184.221.240:80
    46 B
    40 B
    1
    1
  • 8.8.8.8:53
    bojku0.get24.org
    dns
    cvtres.exe
    62 B
    124 B
    1
    1

    DNS Request

    bojku0.get24.org

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe

    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

  • memory/372-166-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/372-164-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/372-162-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/372-154-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/444-155-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/444-168-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/444-134-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3060-169-0x0000000074C60000-0x0000000075211000-memory.dmp

    Filesize

    5.7MB

  • memory/3060-132-0x0000000074C60000-0x0000000075211000-memory.dmp

    Filesize

    5.7MB

  • memory/3960-163-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3960-165-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3960-161-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3960-150-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/3996-159-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/3996-167-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/3996-146-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/5116-144-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/5116-141-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/5116-158-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/5116-143-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.