Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    110s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2024, 08:43 UTC

General

  • Target

    011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe

  • Size

    737KB

  • MD5

    8ea5e38acebe9b835f9b330faa8d6560

  • SHA1

    d3473c0c7fd2b8d85104f0d6b5560cd8487177af

  • SHA256

    011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7

  • SHA512

    cd0fab7d46856e7504a9f5dc1528177a2bc79e26ad0f12ecb9e860f524c4cc2ef40f5ac8d28d2f50169242f7fa8ad2a12fe090950c835906ce4976ff6b363e58

  • SSDEEP

    6144:SgxilHZyojpSVOfkNvR/XwSFXHw5sKxGhjuZxerwfJcWVPwt+Verd1cIJYvvmW:6lYkCRv5FX8sKxGhyyk6TcIJYvvmW

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe
    "C:\Users\Admin\AppData\Local\Temp\011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Users\Admin\AppData\Roaming\app.exe
      "C:\Users\Admin\AppData\Roaming\app.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Users\Admin\AppData\Roaming\app.exe
        "C:\Users\Admin\AppData\Roaming\app.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Users\Admin\AppData\Roaming\app.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\KCY0jFpCKD.ini"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2828
        • C:\Users\Admin\AppData\Roaming\app.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\XzX3EwrtaU.ini"
          4⤵
          • Executes dropped EXE
          • Suspicious use of UnmapMainImage
          PID:3400
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 12
            5⤵
            • Program crash
            PID:3964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3400 -ip 3400
    1⤵
      PID:2080

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      101.209.201.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      101.209.201.84.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      68.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      68.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      100.209.201.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      100.209.201.84.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      30.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      30.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      salesblogg.in
      app.exe
      Remote address:
      8.8.8.8:53
      Request
      salesblogg.in
      IN A
      Response
    • flag-us
      DNS
      salesblogg.in
      app.exe
      Remote address:
      8.8.8.8:53
      Request
      salesblogg.in
      IN A
      Response
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      101.209.201.84.in-addr.arpa
      dns
      73 B
      133 B
      1
      1

      DNS Request

      101.209.201.84.in-addr.arpa

    • 8.8.8.8:53
      68.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      68.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      100.209.201.84.in-addr.arpa
      dns
      73 B
      133 B
      1
      1

      DNS Request

      100.209.201.84.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      30.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      30.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      salesblogg.in
      dns
      app.exe
      118 B
      224 B
      2
      2

      DNS Request

      salesblogg.in

      DNS Request

      salesblogg.in

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\KCY0jFpCKD.ini

      Filesize

      5B

      MD5

      d1ea279fb5559c020a1b4137dc4de237

      SHA1

      db6f8988af46b56216a6f0daf95ab8c9bdb57400

      SHA256

      fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

      SHA512

      720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

    • C:\Users\Admin\AppData\Roaming\app.exe

      Filesize

      746KB

      MD5

      edc1128ee54373c07de027040d68f004

      SHA1

      0f3941f664c97dda42107377b9de6029aed4b5ae

      SHA256

      72558ea9267f5de1431f4ed565f11d2f1b03d19f04777148d81cc4ff404ebc26

      SHA512

      89585199fe904e9a32049e2bffc47c611f6e18d8682f10292f308f9b5a1c857690de549f2ab530409c0daf8822bcac0c227e37422b93d3dcf43c729d8ae19241

    • memory/2072-31-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2072-43-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2072-35-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2072-32-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2072-33-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2072-34-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/2580-56-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2580-42-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2580-38-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2580-57-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2580-37-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2828-49-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/2828-52-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/2828-50-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/2828-46-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/3372-30-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3372-8-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3372-7-0x0000000075282000-0x0000000075283000-memory.dmp

      Filesize

      4KB

    • memory/3372-6-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3372-0-0x0000000075282000-0x0000000075283000-memory.dmp

      Filesize

      4KB

    • memory/3372-5-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3372-2-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3372-1-0x0000000075280000-0x0000000075831000-memory.dmp

      Filesize

      5.7MB

    • memory/3400-54-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.