Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2025, 17:20

General

  • Target

    ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe

  • Size

    962KB

  • MD5

    2626b7755d40d743f55c7580a1beb8b0

  • SHA1

    e3771299ec9da3c6ed2ee23ebf509e08fbd1237f

  • SHA256

    ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0

  • SHA512

    1a5df2f2c182601716575f12ea0bc6a677500e9c8a962b442bd1d31c35a6a287c790061b2071ffac31ebf94a138b0e3d6c8ef53b0cd424faa5a7e63259732e05

  • SSDEEP

    24576:Jt24wfvf7a8DPw67oc1xuzoVF5r5QAwFv0XcI:1ef7aD6Ffuw7B2fI

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 3 IoCs
  • Isrstealer family
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
  • Detected Nirsoft tools 5 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 12 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Suspicious use of SetThreadContext 21 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\2j3ttgc8z87nhh\java.com
      "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\2IcmWcXXue.ini"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1092
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\OXZweVZVa6.ini"
          4⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:1552
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Users\Admin\2j3ttgc8z87nhh\java.com
          "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2900
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
            5⤵
              PID:2932
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
              5⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:3044
              • C:\Users\Admin\2j3ttgc8z87nhh\java.com
                "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
                6⤵
                • Modifies visiblity of hidden/system files in Explorer
                • Executes dropped EXE
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2104
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                  7⤵
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2320
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\uebhBN5X4e.ini"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2276
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\FQSdUFcQTR.ini"
                    8⤵
                    • Accesses Microsoft Outlook accounts
                    • System Location Discovery: System Language Discovery
                    PID:1436
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
                  7⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:1256
                  • C:\Users\Admin\2j3ttgc8z87nhh\java.com
                    "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
                    8⤵
                    • Modifies visiblity of hidden/system files in Explorer
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Checks whether UAC is enabled
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1656
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                      9⤵
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:2544
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                        /scomma "C:\Users\Admin\AppData\Local\Temp\G0HJNgQeIQ.ini"
                        10⤵
                        • System Location Discovery: System Language Discovery
                        PID:812
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                        /scomma "C:\Users\Admin\AppData\Local\Temp\8U6ATX7tA5.ini"
                        10⤵
                        • Accesses Microsoft Outlook accounts
                        • System Location Discovery: System Language Discovery
                        PID:1752
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
                      9⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:2612
                      • C:\Users\Admin\2j3ttgc8z87nhh\java.com
                        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
                        10⤵
                        • Modifies visiblity of hidden/system files in Explorer
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Checks whether UAC is enabled
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        PID:2528
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                          11⤵
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:3028
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\5PLH0CfaVf.ini"
                            12⤵
                            • System Location Discovery: System Language Discovery
                            PID:3024
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\fljrbSLKZh.ini"
                            12⤵
                            • Accesses Microsoft Outlook accounts
                            • System Location Discovery: System Language Discovery
                            PID:2856
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
                          11⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:2952
                          • C:\Users\Admin\2j3ttgc8z87nhh\java.com
                            "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
                            12⤵
                            • Modifies visiblity of hidden/system files in Explorer
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Checks whether UAC is enabled
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            PID:2344
                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                              13⤵
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:876
                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                /scomma "C:\Users\Admin\AppData\Local\Temp\ORPg2Il7PP.ini"
                                14⤵
                                  PID:656
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                  /scomma "C:\Users\Admin\AppData\Local\Temp\VdvyJGCwHx.ini"
                                  14⤵
                                  • Accesses Microsoft Outlook accounts
                                  • System Location Discovery: System Language Discovery
                                  PID:1240
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
                                13⤵
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                PID:2416
                                • C:\Users\Admin\2j3ttgc8z87nhh\java.com
                                  "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
                                  14⤵
                                  • Modifies visiblity of hidden/system files in Explorer
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Checks whether UAC is enabled
                                  • Suspicious use of SetThreadContext
                                  • System Location Discovery: System Language Discovery
                                  PID:1072
                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                    15⤵
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2260
                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      /scomma "C:\Users\Admin\AppData\Local\Temp\ULEa6mMFIu.ini"
                                      16⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1844
                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      /scomma "C:\Users\Admin\AppData\Local\Temp\lVPG7j6FKy.ini"
                                      16⤵
                                      • Accesses Microsoft Outlook accounts
                                      • System Location Discovery: System Language Discovery
                                      PID:2932
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
                                    15⤵
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:1584
                                    • C:\Users\Admin\2j3ttgc8z87nhh\java.com
                                      "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
                                      16⤵
                                      • Modifies visiblity of hidden/system files in Explorer
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Checks whether UAC is enabled
                                      • Suspicious use of SetThreadContext
                                      • System Location Discovery: System Language Discovery
                                      PID:1108
                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                        17⤵
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SetWindowsHookEx
                                        PID:1560
                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                          /scomma "C:\Users\Admin\AppData\Local\Temp\Swpbkr1YZd.ini"
                                          18⤵
                                            PID:2276
                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                            /scomma "C:\Users\Admin\AppData\Local\Temp\nlaq7a1444.ini"
                                            18⤵
                                            • Accesses Microsoft Outlook accounts
                                            • System Location Discovery: System Language Discovery
                                            PID:984
                                        • C:\Windows\SysWOW64\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
                                          17⤵
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:1700
                                          • C:\Users\Admin\2j3ttgc8z87nhh\java.com
                                            "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
                                            18⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:796

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\2J3TTG~1\RnVPBHBJlpC.HSV

          Filesize

          175B

          MD5

          8f44d5f1c08fd7351d73a3daca2bbfd0

          SHA1

          e8e669b9fa500019b7b87fdb363e9036f8417531

          SHA256

          0a90c52851b8e20c3fb985c7ab763a61b9b94d9423ad893132ec0f794fe6faf1

          SHA512

          fc610f4be75b452a1e146e8d166f25a8c74402b2abac15206a61c53b1eb2d64eb6dcae56da02388581fbaeac965f9144ff23dcec863415dd5f6eeebb7d7fbca0

        • C:\Users\Admin\2J3TTG~1\VvpRdmt.LGK

          Filesize

          260KB

          MD5

          887bfe186323191177fcc1d92fe45aba

          SHA1

          07edd3c86a74c0a96d4a715761bd35531d716c92

          SHA256

          0c0d3f3782b615900301db24caa9351ff7decf3f9ce3eb1577c17dda4ab59d1e

          SHA512

          d9483090b49afc0ab4ec60aac56500fcb60411759d0b94db199e586b530939891f321390c99efddd518d4b873391e144bcb26deb7ea672aec5f1882ae4d3c2b4

        • C:\Users\Admin\2J3TTG~1\run.vbs

          Filesize

          90B

          MD5

          b67f9f21ffe6ce14e34a3faa763e3d7e

          SHA1

          283811a92820f5558632e2f7eabf4deb198fd131

          SHA256

          3baee1be372ff258064ab7fd2f72b7330d933160ad3829bcc51782b9d82a5b0c

          SHA512

          445e9ab432136848c4df6d085899336e89b171bd0497fe08aac49e955be24807a5497682d97169f2d0d785c5d93d75da338c70fc7657f5775d3efbcc83c70c9e

        • C:\Users\Admin\2j3ttgc8z87nhh\oGQmSBaRL.VPG

          Filesize

          30.9MB

          MD5

          b809efdf2ec2751251cb835183d82bb5

          SHA1

          32cd37d5bbe861d9d7c7044b98c1c2e9312128f6

          SHA256

          887b5699fc70c681821d92f2e2937696ce68b98277771e9057320278d24aa931

          SHA512

          752b1ef10868105741d94c32e8053e6131ee4f3a37feda8453b5fd9e35649fd0f400848cfda665c230d81d7a6141313b6035bc5f46d8086e33cb6ac863e97be6

        • C:\Users\Admin\AppData\Local\Temp\2IcmWcXXue.ini

          Filesize

          5B

          MD5

          d1ea279fb5559c020a1b4137dc4de237

          SHA1

          db6f8988af46b56216a6f0daf95ab8c9bdb57400

          SHA256

          fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

          SHA512

          720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

        • \Users\Admin\2j3ttgc8z87nhh\java.com

          Filesize

          912KB

          MD5

          6a93a4071cc7c22628af40a4d872f49b

          SHA1

          ba916e686aa0cae19ab907bdab94924ada92b5f4

          SHA256

          8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

          SHA512

          5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

        • memory/812-90-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/812-89-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/812-88-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/1092-37-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/1092-39-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/1092-36-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/1092-38-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/1240-128-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1240-127-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1240-126-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1436-74-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1436-76-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1436-75-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1552-49-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1552-47-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1552-48-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1552-46-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1752-96-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1752-95-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2276-69-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/2276-70-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/2276-68-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/2320-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2544-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2760-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2760-30-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2760-28-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2760-51-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2760-50-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2856-115-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2856-114-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/3024-107-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/3024-108-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/3024-109-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB