Malware Analysis Report

2025-01-18 16:45

Sample ID 220530-1qspnsgddq
Target 0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d
SHA256 0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d
Tags
isrstealer bootkit persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d

Threat Level: Known bad

The file 0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d was found to be: Known bad.

Malicious Activity Summary

isrstealer bootkit persistence spyware stealer trojan

ISR Stealer

ISR Stealer Payload

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-30 21:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-30 21:51

Reported

2022-05-30 23:13

Platform

win7-20220414-en

Max time kernel

151s

Max time network

47s

Command Line

C:\Windows\Explorer.EXE

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\WinService.exe" C:\Users\Admin\AppData\Local\Temp\winservice.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1804 set thread context of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 set thread context of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WinService.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 288 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe C:\Users\Admin\AppData\Local\Temp\i.exe
PID 288 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe C:\Users\Admin\AppData\Local\Temp\i.exe
PID 288 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe C:\Users\Admin\AppData\Local\Temp\i.exe
PID 288 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe C:\Users\Admin\AppData\Local\Temp\i.exe
PID 288 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe C:\Users\Admin\AppData\Local\Temp\i.exe
PID 288 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe C:\Users\Admin\AppData\Local\Temp\i.exe
PID 288 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe C:\Users\Admin\AppData\Local\Temp\i.exe
PID 272 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 272 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 272 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 272 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 272 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 272 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 272 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 272 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\b.exe
PID 272 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\b.exe
PID 272 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\b.exe
PID 272 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\b.exe
PID 272 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\b.exe
PID 272 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\b.exe
PID 272 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\b.exe
PID 1120 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\b.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe
PID 1120 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\b.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe
PID 1120 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\b.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe
PID 1120 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\b.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe
PID 1120 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\b.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe
PID 1120 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\b.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe
PID 1120 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\b.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe
PID 328 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\winservice.exe C:\Users\Admin\AppData\Roaming\WinService.exe
PID 328 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\winservice.exe C:\Users\Admin\AppData\Roaming\WinService.exe
PID 328 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\winservice.exe C:\Users\Admin\AppData\Roaming\WinService.exe
PID 328 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\winservice.exe C:\Users\Admin\AppData\Roaming\WinService.exe
PID 804 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Roaming\WinService.exe C:\Windows\Explorer.EXE
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1804 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 1800 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe

"C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe"

C:\Users\Admin\AppData\Local\Temp\i.exe

"C:\Users\Admin\AppData\Local\Temp\i.exe" -pwr

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Users\Admin\AppData\Local\Temp\b.exe

"C:\Users\Admin\AppData\Local\Temp\b.exe"

C:\Users\Admin\AppData\Local\Temp\winservice.exe

"C:\Users\Admin\AppData\Local\Temp\winservice.exe"

C:\Users\Admin\AppData\Roaming\WinService.exe

C:\Users\Admin\AppData\Roaming\WinService.exe

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 privatepolicy.home.kg udp
US 8.8.8.8:53 privatepolicy.home.kg udp

Files

memory/288-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

\Users\Admin\AppData\Local\Temp\i.exe

MD5 836c4dcf420ff7f371c39906f1b898ca
SHA1 9ca4c19c4c62fabdeac895d7fe1a1977335cb513
SHA256 ffed1e5608a31533993ba53512570501200b2ec0aa78e69436b2a10190fd495a
SHA512 d245ed58e414fa132449cc98794f7ded3229e32426979aba27247063b06a834bc167a3106d330e8642ad7ecc613697d7b773d9448a34c3ec4af1f15787d069fd

memory/272-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\i.exe

MD5 836c4dcf420ff7f371c39906f1b898ca
SHA1 9ca4c19c4c62fabdeac895d7fe1a1977335cb513
SHA256 ffed1e5608a31533993ba53512570501200b2ec0aa78e69436b2a10190fd495a
SHA512 d245ed58e414fa132449cc98794f7ded3229e32426979aba27247063b06a834bc167a3106d330e8642ad7ecc613697d7b773d9448a34c3ec4af1f15787d069fd

C:\Users\Admin\AppData\Local\Temp\i.exe

MD5 836c4dcf420ff7f371c39906f1b898ca
SHA1 9ca4c19c4c62fabdeac895d7fe1a1977335cb513
SHA256 ffed1e5608a31533993ba53512570501200b2ec0aa78e69436b2a10190fd495a
SHA512 d245ed58e414fa132449cc98794f7ded3229e32426979aba27247063b06a834bc167a3106d330e8642ad7ecc613697d7b773d9448a34c3ec4af1f15787d069fd

\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

memory/1804-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

\Users\Admin\AppData\Local\Temp\b.exe

MD5 ff7abad34e54ee4b43de1084192566e8
SHA1 091446f3b97d9d268796dffbd5530ce6111f990d
SHA256 b0658d7be4638246fc52ae7b9a6c9cdc5dbd75ab9f7e5a9354a81fdb903bb568
SHA512 d44d2194cdfbd98a233434254597aa6d22bdc75bc752ebe9c18332b1dd77543e750d23b155221a7dc31912440c1f7a886163f3e092e35ee48b9affa8249b17ab

memory/1120-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\b.exe

MD5 ff7abad34e54ee4b43de1084192566e8
SHA1 091446f3b97d9d268796dffbd5530ce6111f990d
SHA256 b0658d7be4638246fc52ae7b9a6c9cdc5dbd75ab9f7e5a9354a81fdb903bb568
SHA512 d44d2194cdfbd98a233434254597aa6d22bdc75bc752ebe9c18332b1dd77543e750d23b155221a7dc31912440c1f7a886163f3e092e35ee48b9affa8249b17ab

C:\Users\Admin\AppData\Local\Temp\b.exe

MD5 ff7abad34e54ee4b43de1084192566e8
SHA1 091446f3b97d9d268796dffbd5530ce6111f990d
SHA256 b0658d7be4638246fc52ae7b9a6c9cdc5dbd75ab9f7e5a9354a81fdb903bb568
SHA512 d44d2194cdfbd98a233434254597aa6d22bdc75bc752ebe9c18332b1dd77543e750d23b155221a7dc31912440c1f7a886163f3e092e35ee48b9affa8249b17ab

\Users\Admin\AppData\Local\Temp\winservice.exe

MD5 b787eb188df2d6ae21b23088348fb91e
SHA1 1a3cfdce6931ccf47fb190ff8384ba33245cbd11
SHA256 23f494a8829b2363a4d9e42a36b46a8b13e26d9237e38058abd5ff1881ea6bd6
SHA512 fab6cb06033cd416fe9d7007f8feaca74b044efb6861f759de63a6236b650e9a3a8b7148bc65f2c0f92e7ff1235d86d5249c7456641dc78d1f0f4516882f47d0

memory/328-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\winservice.exe

MD5 b787eb188df2d6ae21b23088348fb91e
SHA1 1a3cfdce6931ccf47fb190ff8384ba33245cbd11
SHA256 23f494a8829b2363a4d9e42a36b46a8b13e26d9237e38058abd5ff1881ea6bd6
SHA512 fab6cb06033cd416fe9d7007f8feaca74b044efb6861f759de63a6236b650e9a3a8b7148bc65f2c0f92e7ff1235d86d5249c7456641dc78d1f0f4516882f47d0

\Users\Admin\AppData\Roaming\WinService.exe

MD5 19f19cafb2c5511e651281e0431d9783
SHA1 c923b3eab28dc21cf9d990d65942060efd9a4ed6
SHA256 2ee5b2d42954cac64b0b4eeec77fa9e2d1adac1af368ff0ee7ac3ea62fbd8e2a
SHA512 0b3ed3443bc2aad37f9b6c12112a237e89bdb49b8cc1f930a0241de633d5ecdcb6b25b9aff47847bd15ee8eab7a2a978933bb503551940a55ed7a8f414d105b8

memory/804-78-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\WinService.exe

MD5 19f19cafb2c5511e651281e0431d9783
SHA1 c923b3eab28dc21cf9d990d65942060efd9a4ed6
SHA256 2ee5b2d42954cac64b0b4eeec77fa9e2d1adac1af368ff0ee7ac3ea62fbd8e2a
SHA512 0b3ed3443bc2aad37f9b6c12112a237e89bdb49b8cc1f930a0241de633d5ecdcb6b25b9aff47847bd15ee8eab7a2a978933bb503551940a55ed7a8f414d105b8

C:\Users\Admin\AppData\Roaming\WinService.exe

MD5 19f19cafb2c5511e651281e0431d9783
SHA1 c923b3eab28dc21cf9d990d65942060efd9a4ed6
SHA256 2ee5b2d42954cac64b0b4eeec77fa9e2d1adac1af368ff0ee7ac3ea62fbd8e2a
SHA512 0b3ed3443bc2aad37f9b6c12112a237e89bdb49b8cc1f930a0241de633d5ecdcb6b25b9aff47847bd15ee8eab7a2a978933bb503551940a55ed7a8f414d105b8

\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

\Users\Admin\AppData\Roaming\WinService.dll

MD5 62d2ff99b2d0c9d51e808087ae84fa0c
SHA1 7beaf1805b7a9f4484974532f1fff6fee8b4c667
SHA256 7dd6a20b0f387efbd22f6f518a39a2fc0ecf168410afc07cdbd841441756260f
SHA512 a0a77e790809b388bc6b5919f2d167030775da89cbedb01f9b0cdc1c6a8dc689c11379ebd77b7e4f8c8c2533ae967adab41d5432db3d87884bdba1fa5188440e

C:\Users\Admin\AppData\Roaming\WinService.dll

MD5 62d2ff99b2d0c9d51e808087ae84fa0c
SHA1 7beaf1805b7a9f4484974532f1fff6fee8b4c667
SHA256 7dd6a20b0f387efbd22f6f518a39a2fc0ecf168410afc07cdbd841441756260f
SHA512 a0a77e790809b388bc6b5919f2d167030775da89cbedb01f9b0cdc1c6a8dc689c11379ebd77b7e4f8c8c2533ae967adab41d5432db3d87884bdba1fa5188440e

memory/1800-84-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1800-85-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1800-87-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1800-90-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1800-91-0x0000000000401844-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

memory/1800-97-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

memory/1892-99-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1892-100-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1892-102-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1892-103-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

memory/1892-104-0x00000000004011F0-mapping.dmp

memory/1892-110-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1800-111-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1892-112-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-30 21:51

Reported

2022-05-30 23:11

Platform

win10v2004-20220414-en

Max time kernel

70s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\i.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4776 set thread context of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 2000 set thread context of 804 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe C:\Users\Admin\AppData\Local\Temp\i.exe
PID 2172 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe C:\Users\Admin\AppData\Local\Temp\i.exe
PID 2172 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe C:\Users\Admin\AppData\Local\Temp\i.exe
PID 4904 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 4904 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 4904 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 4904 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\b.exe
PID 4904 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\b.exe
PID 4904 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\i.exe C:\Users\Admin\AppData\Local\Temp\b.exe
PID 3460 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\b.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe
PID 3460 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\b.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe
PID 3460 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\b.exe C:\Users\Admin\AppData\Local\Temp\winservice.exe
PID 4776 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 4776 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 4776 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 4776 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 4776 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 4776 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 4776 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 4776 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 2000 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 2000 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 2000 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 2000 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 2000 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 2000 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 2000 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe
PID 2000 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe

"C:\Users\Admin\AppData\Local\Temp\0876731d852c663354e776410f30bb1574d6c7b8735b8a81dfa2f0270319e56d.exe"

C:\Users\Admin\AppData\Local\Temp\i.exe

"C:\Users\Admin\AppData\Local\Temp\i.exe" -pwr

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Users\Admin\AppData\Local\Temp\b.exe

"C:\Users\Admin\AppData\Local\Temp\b.exe"

C:\Users\Admin\AppData\Local\Temp\winservice.exe

"C:\Users\Admin\AppData\Local\Temp\winservice.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 540 -ip 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 592

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

Network

Country Destination Domain Proto
IE 20.50.80.209:443 tcp

Files

memory/4904-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\i.exe

MD5 836c4dcf420ff7f371c39906f1b898ca
SHA1 9ca4c19c4c62fabdeac895d7fe1a1977335cb513
SHA256 ffed1e5608a31533993ba53512570501200b2ec0aa78e69436b2a10190fd495a
SHA512 d245ed58e414fa132449cc98794f7ded3229e32426979aba27247063b06a834bc167a3106d330e8642ad7ecc613697d7b773d9448a34c3ec4af1f15787d069fd

C:\Users\Admin\AppData\Local\Temp\i.exe

MD5 836c4dcf420ff7f371c39906f1b898ca
SHA1 9ca4c19c4c62fabdeac895d7fe1a1977335cb513
SHA256 ffed1e5608a31533993ba53512570501200b2ec0aa78e69436b2a10190fd495a
SHA512 d245ed58e414fa132449cc98794f7ded3229e32426979aba27247063b06a834bc167a3106d330e8642ad7ecc613697d7b773d9448a34c3ec4af1f15787d069fd

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

memory/4776-133-0x0000000000000000-mapping.dmp

memory/3460-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\b.exe

MD5 ff7abad34e54ee4b43de1084192566e8
SHA1 091446f3b97d9d268796dffbd5530ce6111f990d
SHA256 b0658d7be4638246fc52ae7b9a6c9cdc5dbd75ab9f7e5a9354a81fdb903bb568
SHA512 d44d2194cdfbd98a233434254597aa6d22bdc75bc752ebe9c18332b1dd77543e750d23b155221a7dc31912440c1f7a886163f3e092e35ee48b9affa8249b17ab

C:\Users\Admin\AppData\Local\Temp\b.exe

MD5 ff7abad34e54ee4b43de1084192566e8
SHA1 091446f3b97d9d268796dffbd5530ce6111f990d
SHA256 b0658d7be4638246fc52ae7b9a6c9cdc5dbd75ab9f7e5a9354a81fdb903bb568
SHA512 d44d2194cdfbd98a233434254597aa6d22bdc75bc752ebe9c18332b1dd77543e750d23b155221a7dc31912440c1f7a886163f3e092e35ee48b9affa8249b17ab

memory/540-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\winservice.exe

MD5 b787eb188df2d6ae21b23088348fb91e
SHA1 1a3cfdce6931ccf47fb190ff8384ba33245cbd11
SHA256 23f494a8829b2363a4d9e42a36b46a8b13e26d9237e38058abd5ff1881ea6bd6
SHA512 fab6cb06033cd416fe9d7007f8feaca74b044efb6861f759de63a6236b650e9a3a8b7148bc65f2c0f92e7ff1235d86d5249c7456641dc78d1f0f4516882f47d0

C:\Users\Admin\AppData\Local\Temp\winservice.exe

MD5 b787eb188df2d6ae21b23088348fb91e
SHA1 1a3cfdce6931ccf47fb190ff8384ba33245cbd11
SHA256 23f494a8829b2363a4d9e42a36b46a8b13e26d9237e38058abd5ff1881ea6bd6
SHA512 fab6cb06033cd416fe9d7007f8feaca74b044efb6861f759de63a6236b650e9a3a8b7148bc65f2c0f92e7ff1235d86d5249c7456641dc78d1f0f4516882f47d0

memory/2000-144-0x0000000000000000-mapping.dmp

memory/2000-145-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

memory/804-150-0x0000000000000000-mapping.dmp

memory/804-151-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 2d1abe0010abba56746a72c01a0ae657
SHA1 1d32ba947da45845213a1cf7191a6382555ab637
SHA256 633a7c1d49a3490d2f51c77779dce030c6d97edd3b01d6ff7600a091d9cb4f4c
SHA512 3299cd7387f5232cfc3e3168628546dcabfb0f1123771587572248e8210ce81f16545453a5d7e5fa16819237bbd3b99b6777c609904d94bfe266cd23ef90e2ba

memory/2000-154-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2000-156-0x0000000000400000-0x000000000041F000-memory.dmp

memory/804-158-0x0000000000400000-0x0000000000414000-memory.dmp