Overview

overview

10

Static

static

b877b7de1b...e2.exe

windows7_x64

10

b877b7de1b...e2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    08-03-2022 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b877b7de1b96f28deab0077de2e79040f0bd0677c4b05083e145862ee44f70e2.exe

  • Size

    272KB

  • MD5

    96d7f0167137bf38582a97df1c8f86a3

  • SHA1

    09b6cb16c01e0611940f47a2ac3082e6ec710bde

  • SHA256

    b877b7de1b96f28deab0077de2e79040f0bd0677c4b05083e145862ee44f70e2

  • SHA512

    cdcd9ca7513a0b05d9e75b31f3b5a9524e044c1e0ad4437a34a257a2378edb4dd98e4b3f79efbb88f49b8cd439bbf7d21d57c98cbee6e6f42b0b3645c7354f0a

Score
10/10
isrstealerspywarestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer Payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b877b7de1b96f28deab0077de2e79040f0bd0677c4b05083e145862ee44f70e2.exe
    "C:\Users\Admin\AppData\Local\Temp\b877b7de1b96f28deab0077de2e79040f0bd0677c4b05083e145862ee44f70e2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
      2⤵
        PID:2348
      • C:\Windows\system32\cmd.exe
        "C:\Windows\Sysnative\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\ytmp\t16434.bat "C:\Users\Admin\AppData\Local\Temp\b877b7de1b96f28deab0077de2e79040f0bd0677c4b05083e145862ee44f70e2.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Windows\system32\attrib.exe
          attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
          3⤵
          • Views/modifies file attributes
          PID:3964
        • C:\Users\Admin\AppData\Local\Temp\afolder\payment.exe
          payment.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:552
          • C:\Users\Admin\AppData\Local\Temp\afolder\payment.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
            4⤵
            • Executes dropped EXE
            PID:1328

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1328-139-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1328-142-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1328-143-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download