Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 03:07
Static task
static1
Behavioral task
behavioral1
Sample
c4d20a36d9f0e1ca758818b3be981779.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c4d20a36d9f0e1ca758818b3be981779.exe
Resource
win10v2004-20240226-en
General
-
Target
c4d20a36d9f0e1ca758818b3be981779.exe
-
Size
606KB
-
MD5
c4d20a36d9f0e1ca758818b3be981779
-
SHA1
2d55fcb91c41aa7d63f240fc1c5a49c919cc4487
-
SHA256
1fbf779d7f1d4dfe9cd3f7c84c6e5763bb77530acc11732563e7abaeaba65a93
-
SHA512
e926955240c20b52d885a3471bd422cf0903e49260595419cdef1851676539b84379c1a6959a8ef9452352035f443052886d0a10c913da91824a0a0ae5e77ffe
-
SSDEEP
12288:DrVRbtxoNY4psjC6bswqW4jV//1iVs9odGn:DrFuJVMFMie9odO
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/2720-31-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral1/memory/2720-45-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer -
Executes dropped EXE 4 IoCs
pid Process 2172 tmp1.exe 1732 tmp2.exe 2720 tmp1.EXE 2524 tmp2.EXE -
Loads dropped DLL 6 IoCs
pid Process 2340 c4d20a36d9f0e1ca758818b3be981779.exe 2340 c4d20a36d9f0e1ca758818b3be981779.exe 2340 c4d20a36d9f0e1ca758818b3be981779.exe 2340 c4d20a36d9f0e1ca758818b3be981779.exe 2172 tmp1.exe 1732 tmp2.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegEdit = "C:\\Users\\Admin\\AppData\\Roaming\\RegEdit.exe" tmp2.EXE -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2172 set thread context of 2720 2172 tmp1.exe 30 PID 1732 set thread context of 2524 1732 tmp2.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2720 tmp1.EXE 2720 tmp1.EXE 2720 tmp1.EXE 2720 tmp1.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2340 c4d20a36d9f0e1ca758818b3be981779.exe 2172 tmp1.exe 1732 tmp2.exe 2720 tmp1.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2172 2340 c4d20a36d9f0e1ca758818b3be981779.exe 28 PID 2340 wrote to memory of 2172 2340 c4d20a36d9f0e1ca758818b3be981779.exe 28 PID 2340 wrote to memory of 2172 2340 c4d20a36d9f0e1ca758818b3be981779.exe 28 PID 2340 wrote to memory of 2172 2340 c4d20a36d9f0e1ca758818b3be981779.exe 28 PID 2340 wrote to memory of 1732 2340 c4d20a36d9f0e1ca758818b3be981779.exe 29 PID 2340 wrote to memory of 1732 2340 c4d20a36d9f0e1ca758818b3be981779.exe 29 PID 2340 wrote to memory of 1732 2340 c4d20a36d9f0e1ca758818b3be981779.exe 29 PID 2340 wrote to memory of 1732 2340 c4d20a36d9f0e1ca758818b3be981779.exe 29 PID 2172 wrote to memory of 2720 2172 tmp1.exe 30 PID 2172 wrote to memory of 2720 2172 tmp1.exe 30 PID 2172 wrote to memory of 2720 2172 tmp1.exe 30 PID 2172 wrote to memory of 2720 2172 tmp1.exe 30 PID 2172 wrote to memory of 2720 2172 tmp1.exe 30 PID 2172 wrote to memory of 2720 2172 tmp1.exe 30 PID 2172 wrote to memory of 2720 2172 tmp1.exe 30 PID 2172 wrote to memory of 2720 2172 tmp1.exe 30 PID 2172 wrote to memory of 2720 2172 tmp1.exe 30 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31 PID 1732 wrote to memory of 2524 1732 tmp2.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4d20a36d9f0e1ca758818b3be981779.exe"C:\Users\Admin\AppData\Local\Temp\c4d20a36d9f0e1ca758818b3be981779.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\tmp1.exe"C:\Users\Admin\AppData\Local\Temp\tmp1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\tmp1.EXE"C:\Users\Admin\AppData\Local\Temp\tmp1.EXE"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2.exe"C:\Users\Admin\AppData\Local\Temp\tmp2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\tmp2.EXE"C:\Users\Admin\AppData\Local\Temp\tmp2.EXE"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2524
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5f0c93f442042bbbe985674d671191ed3
SHA1a9ebbe67032eec48673b42325682859ce06a5e2c
SHA2569708ceb9b7f76534315948101b2c8493d0c96e8205eee25e7b8a5473f65b997e
SHA5127e8978c682d0e735f8f7bc16d1fb99136e927c7dc1d6e0fe5be41f0ec0808af9203bf146653f9fe4ac806c91f532144f5b27ac2b9adcb7b3876d4ab02a75e776
-
Filesize
156KB
MD5c1cfb778cbfe135b6fb0d2b6b9116b38
SHA1f90af1a915f603a6acc40c18a5d9e8e6eef8d015
SHA256b5d32c93e9a815f775489aa2b0ab1f86d45821df344916237746557062d7e8fb
SHA5128ca72c995233c5c14eb9d1b6d6b1b70f72f03acbfb578743b0da8bce03b36d0d2d7e005feefb2fffd55f803e41f9e17b5be8ccc5a333a34d426545fbb6443b0a