Analysis
-
max time kernel
74s -
max time network
78s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:31
Static task
static1
Behavioral task
behavioral1
Sample
SCAN001-PO-2 x 5kg HfO2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SCAN001-PO-2 x 5kg HfO2.exe
Resource
win10v20201028
General
-
Target
SCAN001-PO-2 x 5kg HfO2.exe
-
Size
646KB
-
MD5
b192f4eb3271c0bfc58f5485cfa2b775
-
SHA1
b14d0981eacceaa7d72ef52fea15aacd7df1a4fc
-
SHA256
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
-
SHA512
3d190ecdb350139b6d6ae63b7b6b6e058900a1ae64fb47f87e0ecb7651d3dc2779d7e58444250924273d7de81573188e6a70141f44a3a9781e2966c65ae714a0
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1184-69-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1184-70-0x0000000000401180-mapping.dmp family_isrstealer -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1740-83-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-83-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
Processes:
resource yara_rule behavioral1/memory/1632-74-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1632-77-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1632-76-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1740-80-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1740-82-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1740-83-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SCAN001-PO-2 x 5kg HfO2.exeRegSvcs.exedescription pid process target process PID 1960 set thread context of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1184 set thread context of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 set thread context of 1740 1184 RegSvcs.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SCAN001-PO-2 x 5kg HfO2.exepid process 1960 SCAN001-PO-2 x 5kg HfO2.exe 1960 SCAN001-PO-2 x 5kg HfO2.exe 1960 SCAN001-PO-2 x 5kg HfO2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SCAN001-PO-2 x 5kg HfO2.exedescription pid process Token: SeDebugPrivilege 1960 SCAN001-PO-2 x 5kg HfO2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1184 RegSvcs.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
SCAN001-PO-2 x 5kg HfO2.exeRegSvcs.exedescription pid process target process PID 1960 wrote to memory of 1996 1960 SCAN001-PO-2 x 5kg HfO2.exe schtasks.exe PID 1960 wrote to memory of 1996 1960 SCAN001-PO-2 x 5kg HfO2.exe schtasks.exe PID 1960 wrote to memory of 1996 1960 SCAN001-PO-2 x 5kg HfO2.exe schtasks.exe PID 1960 wrote to memory of 1996 1960 SCAN001-PO-2 x 5kg HfO2.exe schtasks.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1960 wrote to memory of 1184 1960 SCAN001-PO-2 x 5kg HfO2.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1632 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe PID 1184 wrote to memory of 1740 1184 RegSvcs.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCAN001-PO-2 x 5kg HfO2.exe"C:\Users\Admin\AppData\Local\Temp\SCAN001-PO-2 x 5kg HfO2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ViNXkrgidtpBt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB7CB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\VbStKfxfTD.ini"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\HkKXDjHElQ.ini"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VbStKfxfTD.iniMD5
d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
C:\Users\Admin\AppData\Local\Temp\tmpB7CB.tmpMD5
d5662eb6b5e6c3f1994cfa26a6bc3297
SHA1550f5909aaab509bfeea11e9e8f2d75809efd6ae
SHA2566e1f2ed03662c078c8411af0d31e92b00370b95c81d00afcd4d1dedd1b81e99e
SHA51267b9b1ccdb5ffae75afd6c58371f30af01f977357fa26a9db8e747893427c46305eb7d025d923d425106eca144f59d02919d3d7fe36de65c750559c3abdd45f5
-
memory/1184-69-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1184-70-0x0000000000401180-mapping.dmp
-
memory/1632-77-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1632-74-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1632-76-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1632-75-0x00000000004512E0-mapping.dmp
-
memory/1740-80-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1740-81-0x000000000041C410-mapping.dmp
-
memory/1740-82-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1740-83-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1936-79-0x000007FEF5E90000-0x000007FEF610A000-memory.dmpFilesize
2.5MB
-
memory/1996-67-0x0000000000000000-mapping.dmp