Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 08:43
Static task
static1
Behavioral task
behavioral1
Sample
011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe
Resource
win10v2004-20240802-en
General
-
Target
011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe
-
Size
737KB
-
MD5
8ea5e38acebe9b835f9b330faa8d6560
-
SHA1
d3473c0c7fd2b8d85104f0d6b5560cd8487177af
-
SHA256
011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7
-
SHA512
cd0fab7d46856e7504a9f5dc1528177a2bc79e26ad0f12ecb9e860f524c4cc2ef40f5ac8d28d2f50169242f7fa8ad2a12fe090950c835906ce4976ff6b363e58
-
SSDEEP
6144:SgxilHZyojpSVOfkNvR/XwSFXHw5sKxGhjuZxerwfJcWVPwt+Verd1cIJYvvmW:6lYkCRv5FX8sKxGhyyk6TcIJYvvmW
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 5 IoCs
resource yara_rule behavioral2/memory/2580-37-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/2580-38-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/2580-42-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/2580-56-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/2580-57-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe -
Executes dropped EXE 4 IoCs
pid Process 2072 app.exe 2580 app.exe 2828 app.exe 3400 app.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2072 set thread context of 2580 2072 app.exe 92 PID 2580 set thread context of 2828 2580 app.exe 93 PID 2580 set thread context of 3400 2580 app.exe 94 -
resource yara_rule behavioral2/memory/2828-49-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2828-52-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2828-50-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2828-46-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3400-54-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3964 3400 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3372 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe 3372 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe 3372 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe 3372 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe 3372 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe 3372 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe 2072 app.exe 2072 app.exe 2072 app.exe 2072 app.exe 2072 app.exe 2072 app.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3372 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe Token: SeDebugPrivilege 2072 app.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2580 app.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3400 app.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3372 wrote to memory of 2072 3372 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe 91 PID 3372 wrote to memory of 2072 3372 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe 91 PID 3372 wrote to memory of 2072 3372 011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe 91 PID 2072 wrote to memory of 2580 2072 app.exe 92 PID 2072 wrote to memory of 2580 2072 app.exe 92 PID 2072 wrote to memory of 2580 2072 app.exe 92 PID 2072 wrote to memory of 2580 2072 app.exe 92 PID 2072 wrote to memory of 2580 2072 app.exe 92 PID 2072 wrote to memory of 2580 2072 app.exe 92 PID 2072 wrote to memory of 2580 2072 app.exe 92 PID 2580 wrote to memory of 2828 2580 app.exe 93 PID 2580 wrote to memory of 2828 2580 app.exe 93 PID 2580 wrote to memory of 2828 2580 app.exe 93 PID 2580 wrote to memory of 2828 2580 app.exe 93 PID 2580 wrote to memory of 2828 2580 app.exe 93 PID 2580 wrote to memory of 2828 2580 app.exe 93 PID 2580 wrote to memory of 2828 2580 app.exe 93 PID 2580 wrote to memory of 2828 2580 app.exe 93 PID 2580 wrote to memory of 3400 2580 app.exe 94 PID 2580 wrote to memory of 3400 2580 app.exe 94 PID 2580 wrote to memory of 3400 2580 app.exe 94 PID 2580 wrote to memory of 3400 2580 app.exe 94 PID 2580 wrote to memory of 3400 2580 app.exe 94 PID 2580 wrote to memory of 3400 2580 app.exe 94 PID 2580 wrote to memory of 3400 2580 app.exe 94 PID 2580 wrote to memory of 3400 2580 app.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe"C:\Users\Admin\AppData\Local\Temp\011c839ea6f5be8ca3e8c2088248f8301bbc614cdc8746c040033206b103c1e7N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Roaming\app.exe/scomma "C:\Users\Admin\AppData\Local\Temp\KCY0jFpCKD.ini"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Users\Admin\AppData\Roaming\app.exe/scomma "C:\Users\Admin\AppData\Local\Temp\XzX3EwrtaU.ini"4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 125⤵
- Program crash
PID:3964
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3400 -ip 34001⤵PID:2080
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
746KB
MD5edc1128ee54373c07de027040d68f004
SHA10f3941f664c97dda42107377b9de6029aed4b5ae
SHA25672558ea9267f5de1431f4ed565f11d2f1b03d19f04777148d81cc4ff404ebc26
SHA51289585199fe904e9a32049e2bffc47c611f6e18d8682f10292f308f9b5a1c857690de549f2ab530409c0daf8822bcac0c227e37422b93d3dcf43c729d8ae19241