Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:32
Static task
static1
Behavioral task
behavioral1
Sample
PO.img.jpg.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO.img.jpg.exe
Resource
win10v2004-20220414-en
General
-
Target
PO.img.jpg.exe
-
Size
371KB
-
MD5
05643226c4f1d9116d9cd0bc31f2eea9
-
SHA1
80e883195c0108a28d79fd638b326ccd4affad19
-
SHA256
141d8dd9c235560984db345a6414c17c5fed18e5b2106f240a58f3cdcc9f9584
-
SHA512
8c7d54423af88f7c6a0ced3e5f768a1f72df90b9478fbd4c7903271b1b8adefbc44228e11dcf71ba6e8d07f08d87b3271b6a0e79801ccb0034f47090638757fe
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer Payload 3 IoCs
resource yara_rule behavioral2/memory/2748-134-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/2748-136-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/2748-141-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3956-146-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/3956-147-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral2/memory/3956-146-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/3956-147-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
resource yara_rule behavioral2/memory/3956-143-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3956-145-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3956-146-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3956-147-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation PO.img.jpg.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3996 set thread context of 2748 3996 PO.img.jpg.exe 91 PID 2748 set thread context of 3884 2748 RegSvcs.exe 92 PID 2748 set thread context of 3956 2748 RegSvcs.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 5076 3884 WerFault.exe 92 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 868 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3996 PO.img.jpg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3996 PO.img.jpg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2748 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3996 wrote to memory of 868 3996 PO.img.jpg.exe 89 PID 3996 wrote to memory of 868 3996 PO.img.jpg.exe 89 PID 3996 wrote to memory of 868 3996 PO.img.jpg.exe 89 PID 3996 wrote to memory of 2748 3996 PO.img.jpg.exe 91 PID 3996 wrote to memory of 2748 3996 PO.img.jpg.exe 91 PID 3996 wrote to memory of 2748 3996 PO.img.jpg.exe 91 PID 3996 wrote to memory of 2748 3996 PO.img.jpg.exe 91 PID 3996 wrote to memory of 2748 3996 PO.img.jpg.exe 91 PID 3996 wrote to memory of 2748 3996 PO.img.jpg.exe 91 PID 3996 wrote to memory of 2748 3996 PO.img.jpg.exe 91 PID 2748 wrote to memory of 3884 2748 RegSvcs.exe 92 PID 2748 wrote to memory of 3884 2748 RegSvcs.exe 92 PID 2748 wrote to memory of 3884 2748 RegSvcs.exe 92 PID 2748 wrote to memory of 3884 2748 RegSvcs.exe 92 PID 2748 wrote to memory of 3884 2748 RegSvcs.exe 92 PID 2748 wrote to memory of 3884 2748 RegSvcs.exe 92 PID 2748 wrote to memory of 3884 2748 RegSvcs.exe 92 PID 2748 wrote to memory of 3884 2748 RegSvcs.exe 92 PID 2748 wrote to memory of 3956 2748 RegSvcs.exe 96 PID 2748 wrote to memory of 3956 2748 RegSvcs.exe 96 PID 2748 wrote to memory of 3956 2748 RegSvcs.exe 96 PID 2748 wrote to memory of 3956 2748 RegSvcs.exe 96 PID 2748 wrote to memory of 3956 2748 RegSvcs.exe 96 PID 2748 wrote to memory of 3956 2748 RegSvcs.exe 96 PID 2748 wrote to memory of 3956 2748 RegSvcs.exe 96 PID 2748 wrote to memory of 3956 2748 RegSvcs.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.img.jpg.exe"C:\Users\Admin\AppData\Local\Temp\PO.img.jpg.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jrtQOooYewvWK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE0C.tmp"2⤵
- Creates scheduled task(s)
PID:868
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\SqUccPw2Iq.ini"3⤵PID:3884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 804⤵
- Program crash
PID:5076
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\8iiQLsBbSw.ini"3⤵
- Accesses Microsoft Outlook accounts
PID:3956
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3884 -ip 38841⤵PID:440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55c0cc3e3319c2ba6588c35fcf659b0a2
SHA184f67c98100ceaf350c05b4514e15b64031ba912
SHA2565ae7cf10fe03202cdaf5e76dec8ca66d37af86760d0c69d5866ba1d5ba72e88a
SHA51205802060bd4b55405a21d8672dc22e67a022f4e15ea8bfe35be05603a19b4e20d183aa06de15957f59b9ace8c06602fd095df57cf2f9da060f88a98c97da0005