Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe
Resource
win10v2004-20220812-en
General
-
Target
7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe
-
Size
7.4MB
-
MD5
042d8f91b6cf63017646706b74561b27
-
SHA1
4bfe69b43b1bfe28702a7ef44cc68127b0b5ae05
-
SHA256
7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474
-
SHA512
73f68f192ec224a138da103eabb0c885b3a07bfb0bd4f5f5774d1294d614535ffefa58d404c1e9b1e0e9268456a198b81b79008b5dcefdfcd12c1c228e186b92
-
SSDEEP
196608:pAnqVdHABvooPl0+cTY3tZLJejmOAWx1AtdmCimv/SHqUUHv/Swv/SW45qUUpcQE:+wQ5N0+mYZ1itLAdWm8q/Hz5aq/RC7p
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 3 IoCs
resource yara_rule behavioral2/memory/444-134-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer behavioral2/memory/444-155-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer behavioral2/memory/444-168-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/372-164-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/372-166-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3996-146-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/3996-159-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/3996-167-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/3996-146-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/3996-159-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/3960-163-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral2/memory/372-164-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/3960-165-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral2/memory/372-166-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/3996-167-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft -
Executes dropped EXE 5 IoCs
pid Process 444 cvtres.exe 5116 cvtres.exe 3996 cvtres.exe 3960 cvtres.exe 372 cvtres.exe -
resource yara_rule behavioral2/memory/3960-150-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/372-154-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/372-162-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3960-161-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3960-163-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/372-164-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3960-165-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/372-166-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cvtres.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3060 set thread context of 444 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 82 PID 444 set thread context of 5116 444 cvtres.exe 83 PID 5116 set thread context of 3996 5116 cvtres.exe 84 PID 5116 set thread context of 3960 5116 cvtres.exe 85 PID 5116 set thread context of 372 5116 cvtres.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 444 cvtres.exe 444 cvtres.exe 444 cvtres.exe 444 cvtres.exe 444 cvtres.exe 444 cvtres.exe 444 cvtres.exe 444 cvtres.exe 3960 cvtres.exe 3960 cvtres.exe 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe Token: SeDebugPrivilege 3960 cvtres.exe Token: SeDebugPrivilege 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 444 cvtres.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3060 wrote to memory of 444 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 82 PID 3060 wrote to memory of 444 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 82 PID 3060 wrote to memory of 444 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 82 PID 3060 wrote to memory of 444 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 82 PID 3060 wrote to memory of 444 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 82 PID 3060 wrote to memory of 444 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 82 PID 3060 wrote to memory of 444 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 82 PID 3060 wrote to memory of 444 3060 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe 82 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 444 wrote to memory of 5116 444 cvtres.exe 83 PID 5116 wrote to memory of 3996 5116 cvtres.exe 84 PID 5116 wrote to memory of 3996 5116 cvtres.exe 84 PID 5116 wrote to memory of 3996 5116 cvtres.exe 84 PID 5116 wrote to memory of 3996 5116 cvtres.exe 84 PID 5116 wrote to memory of 3996 5116 cvtres.exe 84 PID 5116 wrote to memory of 3960 5116 cvtres.exe 85 PID 5116 wrote to memory of 3960 5116 cvtres.exe 85 PID 5116 wrote to memory of 3960 5116 cvtres.exe 85 PID 5116 wrote to memory of 3960 5116 cvtres.exe 85 PID 5116 wrote to memory of 3960 5116 cvtres.exe 85 PID 5116 wrote to memory of 372 5116 cvtres.exe 86 PID 5116 wrote to memory of 372 5116 cvtres.exe 86 PID 5116 wrote to memory of 372 5116 cvtres.exe 86 PID 5116 wrote to memory of 372 5116 cvtres.exe 86 PID 5116 wrote to memory of 372 5116 cvtres.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe"C:\Users\Admin\AppData\Local\Temp\7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\cvtres.exeC:\Users\Admin\AppData\Local\Temp\\cvtres.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Users\Admin\AppData\Local\Temp\cvtres.exe"C:\Users\Admin\AppData\Local\Temp\cvtres.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\cvtres.exe"C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵
- Executes dropped EXE
PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\cvtres.exe"C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\cvtres.exe"C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:372
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0