Static

static

SCAN001-PO...O2.exe

windows7_x64

10

SCAN001-PO...O2.exe

windows10_x64

10

Analysis

  • max time kernel
    74s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SCAN001-PO-2 x 5kg HfO2.exe

  • Size

    646KB

  • MD5

    b192f4eb3271c0bfc58f5485cfa2b775

  • SHA1

    b14d0981eacceaa7d72ef52fea15aacd7df1a4fc

  • SHA256

    64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda

  • SHA512

    3d190ecdb350139b6d6ae63b7b6b6e058900a1ae64fb47f87e0ecb7651d3dc2779d7e58444250924273d7de81573188e6a70141f44a3a9781e2966c65ae714a0

Score
10/10
isrstealerstealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer Payload 2 IoCs
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • Nirsoft 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SCAN001-PO-2 x 5kg HfO2.exe
    "C:\Users\Admin\AppData\Local\Temp\SCAN001-PO-2 x 5kg HfO2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ViNXkrgidtpBt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB7CB.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1996
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\VbStKfxfTD.ini"
        3⤵
          PID:1632
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\HkKXDjHElQ.ini"
          3⤵
            PID:1740

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1184-69-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/1632-77-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/1632-74-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/1632-76-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/1740-80-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1740-82-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1740-83-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1936-79-0x000007FEF5E90000-0x000007FEF610A000-memory.dmp

        Filesize

        2.5MB

        Download