Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 12:04
General
-
Target
WhySoSerious 1.1.exe
-
Size
489KB
-
MD5
92f9f0c7511954d81dcf3c9a82ae718b
-
SHA1
6cea37af9d6044b446f322e3c7ea58b15b126a90
-
SHA256
987e7591865d74ef7398282a7921b83236a75df8bfeb29263fba3e650fd255da
-
SHA512
580879d223d823a0ccaef9db852759b58504fd9d75afc60e03d71ba541c89f6bcdaade96ec668e7567f335bb6db36912502cc109569b5fcaedff96d149af9b56
-
SSDEEP
12288:VK2mhAMJ/cPlqmuGfIzdRimjx5fxfbQzrje4PIVY4Nc9B1Mul0bOW03Ok:02O/GlqSIzdPP5zQ/jR8Y4y9TZGw
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 1 IoCs
-
Isrstealer family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WhySoSerious 1.1.exe"C:\Users\Admin\AppData\Local\Temp\WhySoSerious 1.1.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\XingCode\eeeee.exe"C:\Program Files (x86)\XingCode\eeeee.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tsl.exe"C:\Users\Admin\AppData\Local\Temp\tsl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tsl.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\tsl.exe"C:\Users\Admin\AppData\Local\Temp\tsl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tsl.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Program Files (x86)\XingCode\WhySoSerious.exe"C:\Program Files (x86)\XingCode\WhySoSerious.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5808be1df3c5e7d50cf2f8ad420bcadfa
SHA1ab38767d75ae1ddff48b6c6193a835089f6ce20b
SHA2564901e80ce31061e90d173bf18d64843d2aab3d49fc187b588041826bff0a8b54
SHA51205a82695ddce9205201c14e1a178a789629774b6fddc8c407139b6e5a60f5466ec9a5ddceabc3a4905ca052e54d8475d46815634f3ab7da17f689ab991b62c28
-
Filesize
546KB
MD5d019bd183105c33e3c962d0941e214d3
SHA1637da74eaed966242fd530f647beb711b6da1a52
SHA256b39b26381198044c059d70db6e5d21940abe1ae778d36ebe792947cc20bfe32a
SHA512501ac1aeaa65bcc1186a93affe07ce8eda28f818b12a106643747d66814a023cb4919427491a6a2afe56771fe72f4b5dc99d7406838d5ed674505825fdf31b26
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
196KB
MD5ab7499ab0b88802c99c38d9f3c74bbd4
SHA129f5330608db90ec7c6758dd512c35bc138d080e
SHA25673b6fac674f30d1cf2d09486d9e0b3a3b4ea799e8c1fae1358c20a49c68d7430
SHA51284fb7ca98096b68b8249d046b682df5ec7228a00f0bdb7a9abf30827b068b351e728d77ffa1f9f8547bf6637028acb951e9d946119d32e234c629a17d96f6de7
-
Filesize
332KB
-
Filesize
9.6MB
-
Filesize
664KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
624KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB