Analysis
-
max time kernel
4294179s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
12-03-2022 05:57
Static task
static1
Behavioral task
behavioral1
Sample
98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe
Resource
win10v2004-en-20220113
General
-
Target
98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe
-
Size
548KB
-
MD5
808c074ba15f5206d5e3ba380b67e977
-
SHA1
908df198b1ac1402be6933cbeafd6fdd715ca918
-
SHA256
98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f
-
SHA512
a01232c4289d7b37c6cd85f7759f4c9bf6579aac50d6d8d5af8c330f37a5b3a3b528031388055c3ec99e186a7395f4db94ad5f5e35dfb9f7bd442811b464b9ee
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer Payload 2 IoCs
resource yara_rule behavioral1/memory/1680-63-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer behavioral1/memory/1680-65-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1320-116-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1320-117-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2044-97-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral1/memory/2044-101-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral1/memory/2044-97-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral1/memory/2044-101-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral1/memory/1508-109-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/1508-111-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/1320-116-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1320-117-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
pid Process 1680 cvtres.exe 512 cvtres.exe 2044 cvtres.exe -
resource yara_rule behavioral1/memory/1508-109-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1508-107-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1508-111-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1508-104-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1320-112-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1320-115-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1320-116-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1320-117-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Loads dropped DLL 3 IoCs
pid Process 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 1680 cvtres.exe 512 cvtres.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svchost.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1776 set thread context of 1680 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 27 PID 1680 set thread context of 512 1680 cvtres.exe 28 PID 512 set thread context of 2044 512 cvtres.exe 29 PID 512 set thread context of 1508 512 cvtres.exe 31 PID 512 set thread context of 1320 512 cvtres.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 cvtres.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cvtres.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cvtres.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1680 cvtres.exe 1680 cvtres.exe 1680 cvtres.exe 1680 cvtres.exe 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe Token: SeDebugPrivilege 1508 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1680 cvtres.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1776 wrote to memory of 1680 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 27 PID 1776 wrote to memory of 1680 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 27 PID 1776 wrote to memory of 1680 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 27 PID 1776 wrote to memory of 1680 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 27 PID 1776 wrote to memory of 1680 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 27 PID 1776 wrote to memory of 1680 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 27 PID 1776 wrote to memory of 1680 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 27 PID 1776 wrote to memory of 1680 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 27 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1680 wrote to memory of 512 1680 cvtres.exe 28 PID 1776 wrote to memory of 512 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 28 PID 512 wrote to memory of 2044 512 cvtres.exe 29 PID 512 wrote to memory of 2044 512 cvtres.exe 29 PID 512 wrote to memory of 2044 512 cvtres.exe 29 PID 512 wrote to memory of 2044 512 cvtres.exe 29 PID 1776 wrote to memory of 512 1776 98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe 28 PID 512 wrote to memory of 2044 512 cvtres.exe 29 PID 512 wrote to memory of 2044 512 cvtres.exe 29 PID 512 wrote to memory of 1508 512 cvtres.exe 31 PID 512 wrote to memory of 1508 512 cvtres.exe 31 PID 512 wrote to memory of 1508 512 cvtres.exe 31 PID 512 wrote to memory of 1508 512 cvtres.exe 31 PID 512 wrote to memory of 1508 512 cvtres.exe 31 PID 512 wrote to memory of 1508 512 cvtres.exe 31 PID 512 wrote to memory of 1320 512 cvtres.exe 32 PID 512 wrote to memory of 1320 512 cvtres.exe 32 PID 512 wrote to memory of 1320 512 cvtres.exe 32 PID 512 wrote to memory of 1320 512 cvtres.exe 32 PID 512 wrote to memory of 1320 512 cvtres.exe 32 PID 512 wrote to memory of 1320 512 cvtres.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe"C:\Users\Admin\AppData\Local\Temp\98ef2ef656e87c35a07d919b391f3f772cc4d4ae0c1a9c67290e89b206677e6f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\cvtres.exeC:\Users\Admin\AppData\Local\Temp\\cvtres.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\cvtres.exe"C:\Users\Admin\AppData\Local\Temp\cvtres.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Users\Admin\AppData\Local\Temp\cvtres.exe"C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵
- Executes dropped EXE
PID:2044
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp4⤵
- Accesses Microsoft Outlook accounts
PID:1320
-
-
-