Analysis
-
max time kernel
74s -
max time network
78s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:31
General
-
Target
SCAN001-PO-2 x 5kg HfO2.exe
-
Size
646KB
-
MD5
b192f4eb3271c0bfc58f5485cfa2b775
-
SHA1
b14d0981eacceaa7d72ef52fea15aacd7df1a4fc
-
SHA256
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
-
SHA512
3d190ecdb350139b6d6ae63b7b6b6e058900a1ae64fb47f87e0ecb7651d3dc2779d7e58444250924273d7de81573188e6a70141f44a3a9781e2966c65ae714a0
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer Payload 2 IoCs
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
Nirsoft 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of SetThreadContext 3 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCAN001-PO-2 x 5kg HfO2.exe"C:\Users\Admin\AppData\Local\Temp\SCAN001-PO-2 x 5kg HfO2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ViNXkrgidtpBt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB7CB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\VbStKfxfTD.ini"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\HkKXDjHElQ.ini"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VbStKfxfTD.iniMD5
d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
C:\Users\Admin\AppData\Local\Temp\tmpB7CB.tmpMD5
d5662eb6b5e6c3f1994cfa26a6bc3297
SHA1550f5909aaab509bfeea11e9e8f2d75809efd6ae
SHA2566e1f2ed03662c078c8411af0d31e92b00370b95c81d00afcd4d1dedd1b81e99e
SHA51267b9b1ccdb5ffae75afd6c58371f30af01f977357fa26a9db8e747893427c46305eb7d025d923d425106eca144f59d02919d3d7fe36de65c750559c3abdd45f5
-
memory/1184-69-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1184-70-0x0000000000401180-mapping.dmp
-
memory/1632-77-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1632-74-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1632-76-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1632-75-0x00000000004512E0-mapping.dmp
-
memory/1740-80-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1740-81-0x000000000041C410-mapping.dmp
-
memory/1740-82-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1740-83-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1936-79-0x000007FEF5E90000-0x000007FEF610A000-memory.dmpFilesize
2.5MB
-
memory/1996-67-0x0000000000000000-mapping.dmp