Analysis
-
max time kernel
47s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:31
Static task
static1
Behavioral task
behavioral1
Sample
SCAN001-PO-2 x 5kg HfO2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SCAN001-PO-2 x 5kg HfO2.exe
Resource
win10v20201028
General
-
Target
SCAN001-PO-2 x 5kg HfO2.exe
-
Size
646KB
-
MD5
b192f4eb3271c0bfc58f5485cfa2b775
-
SHA1
b14d0981eacceaa7d72ef52fea15aacd7df1a4fc
-
SHA256
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
-
SHA512
3d190ecdb350139b6d6ae63b7b6b6e058900a1ae64fb47f87e0ecb7651d3dc2779d7e58444250924273d7de81573188e6a70141f44a3a9781e2966c65ae714a0
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer Payload 3 IoCs
resource yara_rule behavioral2/memory/2072-4-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/2072-5-0x0000000000401180-mapping.dmp family_isrstealer behavioral2/memory/2072-6-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1504-15-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral2/memory/1504-15-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
resource yara_rule behavioral2/memory/1504-12-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1504-14-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1504-15-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 912 set thread context of 2072 912 SCAN001-PO-2 x 5kg HfO2.exe 80 PID 2072 set thread context of 508 2072 RegSvcs.exe 81 PID 2072 set thread context of 1504 2072 RegSvcs.exe 84 -
Program crash 1 IoCs
pid pid_target Process procid_target 2144 508 WerFault.exe 81 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 912 SCAN001-PO-2 x 5kg HfO2.exe 912 SCAN001-PO-2 x 5kg HfO2.exe 912 SCAN001-PO-2 x 5kg HfO2.exe 912 SCAN001-PO-2 x 5kg HfO2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 912 SCAN001-PO-2 x 5kg HfO2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2072 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 912 wrote to memory of 760 912 SCAN001-PO-2 x 5kg HfO2.exe 78 PID 912 wrote to memory of 760 912 SCAN001-PO-2 x 5kg HfO2.exe 78 PID 912 wrote to memory of 760 912 SCAN001-PO-2 x 5kg HfO2.exe 78 PID 912 wrote to memory of 2072 912 SCAN001-PO-2 x 5kg HfO2.exe 80 PID 912 wrote to memory of 2072 912 SCAN001-PO-2 x 5kg HfO2.exe 80 PID 912 wrote to memory of 2072 912 SCAN001-PO-2 x 5kg HfO2.exe 80 PID 912 wrote to memory of 2072 912 SCAN001-PO-2 x 5kg HfO2.exe 80 PID 912 wrote to memory of 2072 912 SCAN001-PO-2 x 5kg HfO2.exe 80 PID 912 wrote to memory of 2072 912 SCAN001-PO-2 x 5kg HfO2.exe 80 PID 912 wrote to memory of 2072 912 SCAN001-PO-2 x 5kg HfO2.exe 80 PID 2072 wrote to memory of 508 2072 RegSvcs.exe 81 PID 2072 wrote to memory of 508 2072 RegSvcs.exe 81 PID 2072 wrote to memory of 508 2072 RegSvcs.exe 81 PID 2072 wrote to memory of 508 2072 RegSvcs.exe 81 PID 2072 wrote to memory of 508 2072 RegSvcs.exe 81 PID 2072 wrote to memory of 508 2072 RegSvcs.exe 81 PID 2072 wrote to memory of 508 2072 RegSvcs.exe 81 PID 2072 wrote to memory of 508 2072 RegSvcs.exe 81 PID 2072 wrote to memory of 1504 2072 RegSvcs.exe 84 PID 2072 wrote to memory of 1504 2072 RegSvcs.exe 84 PID 2072 wrote to memory of 1504 2072 RegSvcs.exe 84 PID 2072 wrote to memory of 1504 2072 RegSvcs.exe 84 PID 2072 wrote to memory of 1504 2072 RegSvcs.exe 84 PID 2072 wrote to memory of 1504 2072 RegSvcs.exe 84 PID 2072 wrote to memory of 1504 2072 RegSvcs.exe 84 PID 2072 wrote to memory of 1504 2072 RegSvcs.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCAN001-PO-2 x 5kg HfO2.exe"C:\Users\Admin\AppData\Local\Temp\SCAN001-PO-2 x 5kg HfO2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ViNXkrgidtpBt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD9CB.tmp"2⤵
- Creates scheduled task(s)
PID:760
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\65D0oiFRCn.ini"3⤵PID:508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 884⤵
- Program crash
PID:2144
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\vlJRuLD3Ul.ini"3⤵PID:1504
-
-