Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 03:07

General

  • Target

    c4d20a36d9f0e1ca758818b3be981779.exe

  • Size

    606KB

  • MD5

    c4d20a36d9f0e1ca758818b3be981779

  • SHA1

    2d55fcb91c41aa7d63f240fc1c5a49c919cc4487

  • SHA256

    1fbf779d7f1d4dfe9cd3f7c84c6e5763bb77530acc11732563e7abaeaba65a93

  • SHA512

    e926955240c20b52d885a3471bd422cf0903e49260595419cdef1851676539b84379c1a6959a8ef9452352035f443052886d0a10c913da91824a0a0ae5e77ffe

  • SSDEEP

    12288:DrVRbtxoNY4psjC6bswqW4jV//1iVs9odGn:DrFuJVMFMie9odO

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4d20a36d9f0e1ca758818b3be981779.exe
    "C:\Users\Admin\AppData\Local\Temp\c4d20a36d9f0e1ca758818b3be981779.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\tmp1.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Users\Admin\AppData\Local\Temp\tmp1.EXE
        "C:\Users\Admin\AppData\Local\Temp\tmp1.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2720
    • C:\Users\Admin\AppData\Local\Temp\tmp2.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Users\Admin\AppData\Local\Temp\tmp2.EXE
        "C:\Users\Admin\AppData\Local\Temp\tmp2.EXE"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2.exe

    Filesize

    216KB

    MD5

    f0c93f442042bbbe985674d671191ed3

    SHA1

    a9ebbe67032eec48673b42325682859ce06a5e2c

    SHA256

    9708ceb9b7f76534315948101b2c8493d0c96e8205eee25e7b8a5473f65b997e

    SHA512

    7e8978c682d0e735f8f7bc16d1fb99136e927c7dc1d6e0fe5be41f0ec0808af9203bf146653f9fe4ac806c91f532144f5b27ac2b9adcb7b3876d4ab02a75e776

  • \Users\Admin\AppData\Local\Temp\tmp1.exe

    Filesize

    156KB

    MD5

    c1cfb778cbfe135b6fb0d2b6b9116b38

    SHA1

    f90af1a915f603a6acc40c18a5d9e8e6eef8d015

    SHA256

    b5d32c93e9a815f775489aa2b0ab1f86d45821df344916237746557062d7e8fb

    SHA512

    8ca72c995233c5c14eb9d1b6d6b1b70f72f03acbfb578743b0da8bce03b36d0d2d7e005feefb2fffd55f803e41f9e17b5be8ccc5a333a34d426545fbb6443b0a

  • memory/2340-0-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/2340-27-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/2524-32-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2524-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2524-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2524-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2720-31-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2720-45-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB