Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 12:04
Static task
static1
Behavioral task
behavioral1
Sample
WhySoSerious 1.1.exe
Resource
win7-20240903-en
General
-
Target
WhySoSerious 1.1.exe
-
Size
489KB
-
MD5
92f9f0c7511954d81dcf3c9a82ae718b
-
SHA1
6cea37af9d6044b446f322e3c7ea58b15b126a90
-
SHA256
987e7591865d74ef7398282a7921b83236a75df8bfeb29263fba3e650fd255da
-
SHA512
580879d223d823a0ccaef9db852759b58504fd9d75afc60e03d71ba541c89f6bcdaade96ec668e7567f335bb6db36912502cc109569b5fcaedff96d149af9b56
-
SSDEEP
12288:VK2mhAMJ/cPlqmuGfIzdRimjx5fxfbQzrje4PIVY4Nc9B1Mul0bOW03Ok:02O/GlqSIzdPP5zQ/jR8Y4y9TZGw
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 1 IoCs
resource yara_rule behavioral2/files/0x000800000002411c-43.dat family_isrstealer -
Isrstealer family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation WhySoSerious 1.1.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation eeeee.exe -
Executes dropped EXE 6 IoCs
pid Process 4364 eeeee.exe 4500 WhySoSerious.exe 1996 tsl.exe 4576 tsl.exe 1108 tsl.exe 3272 tsl.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1996 set thread context of 4576 1996 tsl.exe 96 PID 1108 set thread context of 3272 1108 tsl.exe 100 -
resource yara_rule behavioral2/memory/4576-49-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4576-52-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4576-55-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4576-51-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3272-75-0x0000000000400000-0x0000000000453000-memory.dmp upx -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\XingCode\WhySoSerious.exe WhySoSerious 1.1.exe File created C:\Program Files (x86)\XingCode\eeeee.exe WhySoSerious 1.1.exe File opened for modification C:\Program Files (x86)\XingCode\eeeee.exe WhySoSerious 1.1.exe File opened for modification C:\Program Files (x86)\XingCode WhySoSerious 1.1.exe File created C:\Program Files (x86)\XingCode\__tmp_rar_sfx_access_check_240622828 WhySoSerious 1.1.exe File created C:\Program Files (x86)\XingCode\WhySoSerious.exe WhySoSerious 1.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WhySoSerious 1.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WhySoSerious.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4364 eeeee.exe Token: 33 4364 eeeee.exe Token: SeIncBasePriorityPrivilege 4364 eeeee.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1996 tsl.exe 1108 tsl.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 320 wrote to memory of 4364 320 WhySoSerious 1.1.exe 89 PID 320 wrote to memory of 4364 320 WhySoSerious 1.1.exe 89 PID 320 wrote to memory of 4500 320 WhySoSerious 1.1.exe 91 PID 320 wrote to memory of 4500 320 WhySoSerious 1.1.exe 91 PID 320 wrote to memory of 4500 320 WhySoSerious 1.1.exe 91 PID 4364 wrote to memory of 1996 4364 eeeee.exe 95 PID 4364 wrote to memory of 1996 4364 eeeee.exe 95 PID 4364 wrote to memory of 1996 4364 eeeee.exe 95 PID 1996 wrote to memory of 4576 1996 tsl.exe 96 PID 1996 wrote to memory of 4576 1996 tsl.exe 96 PID 1996 wrote to memory of 4576 1996 tsl.exe 96 PID 1996 wrote to memory of 4576 1996 tsl.exe 96 PID 1996 wrote to memory of 4576 1996 tsl.exe 96 PID 1996 wrote to memory of 4576 1996 tsl.exe 96 PID 1996 wrote to memory of 4576 1996 tsl.exe 96 PID 1996 wrote to memory of 4576 1996 tsl.exe 96 PID 4364 wrote to memory of 1108 4364 eeeee.exe 99 PID 4364 wrote to memory of 1108 4364 eeeee.exe 99 PID 4364 wrote to memory of 1108 4364 eeeee.exe 99 PID 1108 wrote to memory of 3272 1108 tsl.exe 100 PID 1108 wrote to memory of 3272 1108 tsl.exe 100 PID 1108 wrote to memory of 3272 1108 tsl.exe 100 PID 1108 wrote to memory of 3272 1108 tsl.exe 100 PID 1108 wrote to memory of 3272 1108 tsl.exe 100 PID 1108 wrote to memory of 3272 1108 tsl.exe 100 PID 1108 wrote to memory of 3272 1108 tsl.exe 100 PID 1108 wrote to memory of 3272 1108 tsl.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\WhySoSerious 1.1.exe"C:\Users\Admin\AppData\Local\Temp\WhySoSerious 1.1.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Program Files (x86)\XingCode\eeeee.exe"C:\Program Files (x86)\XingCode\eeeee.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\tsl.exe"C:\Users\Admin\AppData\Local\Temp\tsl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\tsl.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4576
-
-
-
C:\Users\Admin\AppData\Local\Temp\tsl.exe"C:\Users\Admin\AppData\Local\Temp\tsl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\tsl.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3272
-
-
-
-
C:\Program Files (x86)\XingCode\WhySoSerious.exe"C:\Program Files (x86)\XingCode\WhySoSerious.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5808be1df3c5e7d50cf2f8ad420bcadfa
SHA1ab38767d75ae1ddff48b6c6193a835089f6ce20b
SHA2564901e80ce31061e90d173bf18d64843d2aab3d49fc187b588041826bff0a8b54
SHA51205a82695ddce9205201c14e1a178a789629774b6fddc8c407139b6e5a60f5466ec9a5ddceabc3a4905ca052e54d8475d46815634f3ab7da17f689ab991b62c28
-
Filesize
546KB
MD5d019bd183105c33e3c962d0941e214d3
SHA1637da74eaed966242fd530f647beb711b6da1a52
SHA256b39b26381198044c059d70db6e5d21940abe1ae778d36ebe792947cc20bfe32a
SHA512501ac1aeaa65bcc1186a93affe07ce8eda28f818b12a106643747d66814a023cb4919427491a6a2afe56771fe72f4b5dc99d7406838d5ed674505825fdf31b26
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
196KB
MD5ab7499ab0b88802c99c38d9f3c74bbd4
SHA129f5330608db90ec7c6758dd512c35bc138d080e
SHA25673b6fac674f30d1cf2d09486d9e0b3a3b4ea799e8c1fae1358c20a49c68d7430
SHA51284fb7ca98096b68b8249d046b682df5ec7228a00f0bdb7a9abf30827b068b351e728d77ffa1f9f8547bf6637028acb951e9d946119d32e234c629a17d96f6de7