Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    110s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2024, 08:43

General

  • Target

    011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe

  • Size

    737KB

  • MD5

    8ea5e38acebe9b835f9b330faa8d6560

  • SHA1

    d3473c0c7fd2b8d85104f0d6b5560cd8487177af

  • SHA256

    011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7

  • SHA512

    cd0fab7d46856e7504a9f5dc1528177a2bc79e26ad0f12ecb9e860f524c4cc2ef40f5ac8d28d2f50169242f7fa8ad2a12fe090950c835906ce4976ff6b363e58

  • SSDEEP

    6144:SgxilHZyojpSVOfkNvR/XwSFXHw5sKxGhjuZxerwfJcWVPwt+Verd1cIJYvvmW:6lYkCRv5FX8sKxGhyyk6TcIJYvvmW

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe
    "C:\Users\Admin\AppData\Local\Temp\011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Users\Admin\AppData\Roaming\app.exe
      "C:\Users\Admin\AppData\Roaming\app.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Users\Admin\AppData\Roaming\app.exe
        "C:\Users\Admin\AppData\Roaming\app.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Users\Admin\AppData\Roaming\app.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\KCY0jFpCKD.ini"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2828
        • C:\Users\Admin\AppData\Roaming\app.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\XzX3EwrtaU.ini"
          4⤵
          • Executes dropped EXE
          • Suspicious use of UnmapMainImage
          PID:3400
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 12
            5⤵
            • Program crash
            PID:3964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3400 -ip 3400
    1⤵
      PID:2080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\KCY0jFpCKD.ini

      Filesize

      5B

      MD5

      d1ea279fb5559c020a1b4137dc4de237

      SHA1

      db6f8988af46b56216a6f0daf95ab8c9bdb57400

      SHA256

      fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

      SHA512

      720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

    • C:\Users\Admin\AppData\Roaming\app.exe

      Filesize

      746KB

      MD5

      edc1128ee54373c07de027040d68f004

      SHA1

      0f3941f664c97dda42107377b9de6029aed4b5ae

      SHA256

      72558ea9267f5de1431f4ed565f11d2f1b03d19f04777148d81cc4ff404ebc26

      SHA512

      89585199fe904e9a32049e2bffc47c611f6e18d8682f10292f308f9b5a1c857690de549f2ab530409c0daf8822bcac0c227e37422b93d3dcf43c729d8ae19241

    • memory/2072-31-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2072-43-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2072-35-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2072-32-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2072-33-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2072-34-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2580-56-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2580-42-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2580-38-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2580-57-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2580-37-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2828-49-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/2828-52-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/2828-50-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/2828-46-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/3372-30-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3372-8-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3372-7-0x0000000075282000-0x0000000075283000-memory.dmp

      Filesize

      4KB

    • memory/3372-6-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3372-0-0x0000000075282000-0x0000000075283000-memory.dmp

      Filesize

      4KB

    • memory/3372-5-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3372-2-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3372-1-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3400-54-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB