Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 15:48
Static task
static1
Behavioral task
behavioral1
Sample
fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe
Resource
win10v2004-20221111-en
General
-
Target
fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe
-
Size
2.2MB
-
MD5
306e9be63813dcd81bc3a74871f0a665
-
SHA1
900848f008d7bcac739b63899821778ce7c13e0f
-
SHA256
fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a
-
SHA512
500431564a290b4500b1a175dbab5d2c50fcea8a93aca1d91bf0658ffc3402134a2fad1820d979f8c2ba2aa9c51519f771d9d64ad45f6147f0d6cf8e0ef36527
-
SSDEEP
49152:TSxosGgMLBfPxuvwvbTzzNNeICqMCF9g8yUyPzeljVJb6nHAiBvfP:TSx3GggBg4vHPNNBCqM+bv8CLfiBf
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 4 IoCs
resource yara_rule behavioral1/memory/1336-67-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral1/memory/1336-68-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral1/memory/1336-69-0x00000000004011F0-mapping.dmp family_isrstealer behavioral1/memory/1336-75-0x0000000000401000-0x0000000000412000-memory.dmp family_isrstealer -
Executes dropped EXE 2 IoCs
pid Process 2040 explorer.exe 1580 WinRAR411.exe -
Loads dropped DLL 7 IoCs
pid Process 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2040 set thread context of 1336 2040 explorer.exe 29 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new explorer.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main WinRAR411.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1336 AppLaunch.exe 1336 AppLaunch.exe 1336 AppLaunch.exe 1336 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2040 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1336 AppLaunch.exe 1580 WinRAR411.exe 1580 WinRAR411.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1784 wrote to memory of 2040 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 28 PID 1784 wrote to memory of 2040 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 28 PID 1784 wrote to memory of 2040 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 28 PID 1784 wrote to memory of 2040 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 28 PID 1784 wrote to memory of 2040 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 28 PID 1784 wrote to memory of 2040 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 28 PID 1784 wrote to memory of 2040 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 28 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 2040 wrote to memory of 1336 2040 explorer.exe 29 PID 1784 wrote to memory of 1580 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 32 PID 1784 wrote to memory of 1580 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 32 PID 1784 wrote to memory of 1580 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 32 PID 1784 wrote to memory of 1580 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 32 PID 1784 wrote to memory of 1580 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 32 PID 1784 wrote to memory of 1580 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 32 PID 1784 wrote to memory of 1580 1784 fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe"C:\Users\Admin\AppData\Local\Temp\fd8aea8afeba8a171afc6b81a9c0a418be0b90c7a8cffccb3f1712333377191a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1336
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WinRAR411.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\WinRAR411.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1580
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c1e7623669d68d43037419e602f2c238
SHA12451c4d95a59d25a933662ad0dcb82eb2772d8e1
SHA256f1be8608f5324b0ef37384d735850d374c1aebf1c2a5c924d57d981f442c7730
SHA51280a6a1371b3cdd16b22e0c7eac10973df008f0fcc035db6b0a23afee8943e9cffb71c6a4ad7765326f6f19c8d5a4851bf99648c323a403fb7a2cc60155d6d4f7
-
Filesize
2.1MB
MD5c1e7623669d68d43037419e602f2c238
SHA12451c4d95a59d25a933662ad0dcb82eb2772d8e1
SHA256f1be8608f5324b0ef37384d735850d374c1aebf1c2a5c924d57d981f442c7730
SHA51280a6a1371b3cdd16b22e0c7eac10973df008f0fcc035db6b0a23afee8943e9cffb71c6a4ad7765326f6f19c8d5a4851bf99648c323a403fb7a2cc60155d6d4f7
-
Filesize
159KB
MD5c74cae46f9e11aa24c9dd901b69bc3aa
SHA1adc3fbb03b059eb07a038c707f9ab449366296f7
SHA256d9bf94a7c82eca74cca5b512c08e43d87aa5dd50da36cfc2586764013ee813c9
SHA51237e2e3f8ec95e7ba8f32d0816f023ae916dc103cc086f44db2974b636dc18e88c2715c176012133ec9a747979e02a21d402b6f60547a36695e8701a177642e4d
-
Filesize
159KB
MD5c74cae46f9e11aa24c9dd901b69bc3aa
SHA1adc3fbb03b059eb07a038c707f9ab449366296f7
SHA256d9bf94a7c82eca74cca5b512c08e43d87aa5dd50da36cfc2586764013ee813c9
SHA51237e2e3f8ec95e7ba8f32d0816f023ae916dc103cc086f44db2974b636dc18e88c2715c176012133ec9a747979e02a21d402b6f60547a36695e8701a177642e4d
-
Filesize
2.1MB
MD5c1e7623669d68d43037419e602f2c238
SHA12451c4d95a59d25a933662ad0dcb82eb2772d8e1
SHA256f1be8608f5324b0ef37384d735850d374c1aebf1c2a5c924d57d981f442c7730
SHA51280a6a1371b3cdd16b22e0c7eac10973df008f0fcc035db6b0a23afee8943e9cffb71c6a4ad7765326f6f19c8d5a4851bf99648c323a403fb7a2cc60155d6d4f7
-
Filesize
2.1MB
MD5c1e7623669d68d43037419e602f2c238
SHA12451c4d95a59d25a933662ad0dcb82eb2772d8e1
SHA256f1be8608f5324b0ef37384d735850d374c1aebf1c2a5c924d57d981f442c7730
SHA51280a6a1371b3cdd16b22e0c7eac10973df008f0fcc035db6b0a23afee8943e9cffb71c6a4ad7765326f6f19c8d5a4851bf99648c323a403fb7a2cc60155d6d4f7
-
Filesize
2.1MB
MD5c1e7623669d68d43037419e602f2c238
SHA12451c4d95a59d25a933662ad0dcb82eb2772d8e1
SHA256f1be8608f5324b0ef37384d735850d374c1aebf1c2a5c924d57d981f442c7730
SHA51280a6a1371b3cdd16b22e0c7eac10973df008f0fcc035db6b0a23afee8943e9cffb71c6a4ad7765326f6f19c8d5a4851bf99648c323a403fb7a2cc60155d6d4f7
-
Filesize
159KB
MD5c74cae46f9e11aa24c9dd901b69bc3aa
SHA1adc3fbb03b059eb07a038c707f9ab449366296f7
SHA256d9bf94a7c82eca74cca5b512c08e43d87aa5dd50da36cfc2586764013ee813c9
SHA51237e2e3f8ec95e7ba8f32d0816f023ae916dc103cc086f44db2974b636dc18e88c2715c176012133ec9a747979e02a21d402b6f60547a36695e8701a177642e4d
-
Filesize
159KB
MD5c74cae46f9e11aa24c9dd901b69bc3aa
SHA1adc3fbb03b059eb07a038c707f9ab449366296f7
SHA256d9bf94a7c82eca74cca5b512c08e43d87aa5dd50da36cfc2586764013ee813c9
SHA51237e2e3f8ec95e7ba8f32d0816f023ae916dc103cc086f44db2974b636dc18e88c2715c176012133ec9a747979e02a21d402b6f60547a36695e8701a177642e4d
-
Filesize
159KB
MD5c74cae46f9e11aa24c9dd901b69bc3aa
SHA1adc3fbb03b059eb07a038c707f9ab449366296f7
SHA256d9bf94a7c82eca74cca5b512c08e43d87aa5dd50da36cfc2586764013ee813c9
SHA51237e2e3f8ec95e7ba8f32d0816f023ae916dc103cc086f44db2974b636dc18e88c2715c176012133ec9a747979e02a21d402b6f60547a36695e8701a177642e4d
-
Filesize
159KB
MD5c74cae46f9e11aa24c9dd901b69bc3aa
SHA1adc3fbb03b059eb07a038c707f9ab449366296f7
SHA256d9bf94a7c82eca74cca5b512c08e43d87aa5dd50da36cfc2586764013ee813c9
SHA51237e2e3f8ec95e7ba8f32d0816f023ae916dc103cc086f44db2974b636dc18e88c2715c176012133ec9a747979e02a21d402b6f60547a36695e8701a177642e4d