Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 12:04
Static task
static1
Behavioral task
behavioral1
Sample
WhySoSerious 1.1.exe
Resource
win7-20240903-en
General
-
Target
WhySoSerious 1.1.exe
-
Size
489KB
-
MD5
92f9f0c7511954d81dcf3c9a82ae718b
-
SHA1
6cea37af9d6044b446f322e3c7ea58b15b126a90
-
SHA256
987e7591865d74ef7398282a7921b83236a75df8bfeb29263fba3e650fd255da
-
SHA512
580879d223d823a0ccaef9db852759b58504fd9d75afc60e03d71ba541c89f6bcdaade96ec668e7567f335bb6db36912502cc109569b5fcaedff96d149af9b56
-
SSDEEP
12288:VK2mhAMJ/cPlqmuGfIzdRimjx5fxfbQzrje4PIVY4Nc9B1Mul0bOW03Ok:02O/GlqSIzdPP5zQ/jR8Y4y9TZGw
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000016c62-37.dat family_isrstealer -
Isrstealer family
-
Executes dropped EXE 4 IoCs
pid Process 2400 eeeee.exe 2920 WhySoSerious.exe 2740 tsl.exe 2640 tsl.exe -
Loads dropped DLL 9 IoCs
pid Process 1916 WhySoSerious 1.1.exe 1916 WhySoSerious 1.1.exe 1916 WhySoSerious 1.1.exe 1916 WhySoSerious 1.1.exe 1916 WhySoSerious 1.1.exe 1916 WhySoSerious 1.1.exe 1916 WhySoSerious 1.1.exe 1916 WhySoSerious 1.1.exe 2740 tsl.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2740 set thread context of 2640 2740 tsl.exe 33 -
resource yara_rule behavioral1/memory/2640-46-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2640-49-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2640-48-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2640-47-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2640-44-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2640-54-0x0000000000400000-0x0000000000453000-memory.dmp upx -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\XingCode WhySoSerious 1.1.exe File created C:\Program Files (x86)\XingCode\__tmp_rar_sfx_access_check_259424467 WhySoSerious 1.1.exe File created C:\Program Files (x86)\XingCode\WhySoSerious.exe WhySoSerious 1.1.exe File opened for modification C:\Program Files (x86)\XingCode\WhySoSerious.exe WhySoSerious 1.1.exe File created C:\Program Files (x86)\XingCode\eeeee.exe WhySoSerious 1.1.exe File opened for modification C:\Program Files (x86)\XingCode\eeeee.exe WhySoSerious 1.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WhySoSerious 1.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WhySoSerious.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2400 eeeee.exe Token: 33 2400 eeeee.exe Token: SeIncBasePriorityPrivilege 2400 eeeee.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2740 tsl.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2400 1916 WhySoSerious 1.1.exe 30 PID 1916 wrote to memory of 2400 1916 WhySoSerious 1.1.exe 30 PID 1916 wrote to memory of 2400 1916 WhySoSerious 1.1.exe 30 PID 1916 wrote to memory of 2400 1916 WhySoSerious 1.1.exe 30 PID 1916 wrote to memory of 2920 1916 WhySoSerious 1.1.exe 31 PID 1916 wrote to memory of 2920 1916 WhySoSerious 1.1.exe 31 PID 1916 wrote to memory of 2920 1916 WhySoSerious 1.1.exe 31 PID 1916 wrote to memory of 2920 1916 WhySoSerious 1.1.exe 31 PID 1916 wrote to memory of 2920 1916 WhySoSerious 1.1.exe 31 PID 1916 wrote to memory of 2920 1916 WhySoSerious 1.1.exe 31 PID 1916 wrote to memory of 2920 1916 WhySoSerious 1.1.exe 31 PID 2400 wrote to memory of 2740 2400 eeeee.exe 32 PID 2400 wrote to memory of 2740 2400 eeeee.exe 32 PID 2400 wrote to memory of 2740 2400 eeeee.exe 32 PID 2400 wrote to memory of 2740 2400 eeeee.exe 32 PID 2400 wrote to memory of 2740 2400 eeeee.exe 32 PID 2400 wrote to memory of 2740 2400 eeeee.exe 32 PID 2400 wrote to memory of 2740 2400 eeeee.exe 32 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33 PID 2740 wrote to memory of 2640 2740 tsl.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\WhySoSerious 1.1.exe"C:\Users\Admin\AppData\Local\Temp\WhySoSerious 1.1.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Program Files (x86)\XingCode\eeeee.exe"C:\Program Files (x86)\XingCode\eeeee.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\tsl.exe"C:\Users\Admin\AppData\Local\Temp\tsl.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\tsl.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640
-
-
-
-
C:\Program Files (x86)\XingCode\WhySoSerious.exe"C:\Program Files (x86)\XingCode\WhySoSerious.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
MD5ab7499ab0b88802c99c38d9f3c74bbd4
SHA129f5330608db90ec7c6758dd512c35bc138d080e
SHA25673b6fac674f30d1cf2d09486d9e0b3a3b4ea799e8c1fae1358c20a49c68d7430
SHA51284fb7ca98096b68b8249d046b682df5ec7228a00f0bdb7a9abf30827b068b351e728d77ffa1f9f8547bf6637028acb951e9d946119d32e234c629a17d96f6de7
-
Filesize
52KB
MD5808be1df3c5e7d50cf2f8ad420bcadfa
SHA1ab38767d75ae1ddff48b6c6193a835089f6ce20b
SHA2564901e80ce31061e90d173bf18d64843d2aab3d49fc187b588041826bff0a8b54
SHA51205a82695ddce9205201c14e1a178a789629774b6fddc8c407139b6e5a60f5466ec9a5ddceabc3a4905ca052e54d8475d46815634f3ab7da17f689ab991b62c28
-
Filesize
546KB
MD5d019bd183105c33e3c962d0941e214d3
SHA1637da74eaed966242fd530f647beb711b6da1a52
SHA256b39b26381198044c059d70db6e5d21940abe1ae778d36ebe792947cc20bfe32a
SHA512501ac1aeaa65bcc1186a93affe07ce8eda28f818b12a106643747d66814a023cb4919427491a6a2afe56771fe72f4b5dc99d7406838d5ed674505825fdf31b26