isrstealer | 9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016

Analysis

max time kernel
85s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe
Size

1.2MB
MD5

675b2173674cd94a84a4eb20d2eafe6c
SHA1

c6ce45ac376cff4d5cc48a561850245a4be138a5
SHA256

9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016
SHA512

367a684b00bd8b2e4f5c915e4eae12efed44681afb369c5fe3eb555fbb9c59243afd1e29d8112428937025c9061fadb86b8e1e17e34ea9dc98c10c7b82351893
SSDEEP

24576:17uhAWsJKisl8xvymr9ZgKDrxyTkNr3OMJz33to2yERUr4aA:puW9bRxvfr9ZzxyC/JD3tPGs

Score

10^/10

isrstealer spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0001000000022dec-134.dat	family_isrstealer
behavioral2/files/0x0001000000022dec-137.dat	family_isrstealer
behavioral2/files/0x0001000000022dec-146.dat	family_isrstealer

Executes dropped EXE 3 IoCs

pid	Process
3344	1.exe
212	2.exe
3748	1.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0001000000022ded-136.dat	upx
behavioral2/files/0x0001000000022ded-138.dat	upx
behavioral2/memory/3748-145-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3748-148-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3748-149-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3748-150-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/212-151-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/212-156-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe

Loads dropped DLL 3 IoCs

pid	Process
212	2.exe
212	2.exe
212	2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3344 set thread context of 3748	3344	1.exe	89

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3344	1.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 3344	1292	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	87
PID 1292 wrote to memory of 3344	1292	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	87
PID 1292 wrote to memory of 3344	1292	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	87
PID 1292 wrote to memory of 212	1292	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	88
PID 1292 wrote to memory of 212	1292	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	88
PID 1292 wrote to memory of 212	1292	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	88
PID 3344 wrote to memory of 3748	3344	1.exe	89
PID 3344 wrote to memory of 3748	3344	1.exe	89
PID 3344 wrote to memory of 3748	3344	1.exe	89
PID 3344 wrote to memory of 3748	3344	1.exe	89
PID 3344 wrote to memory of 3748	3344	1.exe	89
PID 3344 wrote to memory of 3748	3344	1.exe	89
PID 3344 wrote to memory of 3748	3344	1.exe	89
PID 3344 wrote to memory of 3748	3344	1.exe	89

C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe
"C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
    3⤵
    - Executes dropped EXE
    PID:3748
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\0VK5IQH2\2\plugins\0\CustomUI.dll

Filesize
344KB

MD5
04eecd03af7eafb84b6581a5b37d275e

SHA1
3351059d04a2e9f9f0a3719083eeda03dab0f124

SHA256
39ba967edebb288f921c37348d7c21b05e3af40033e0eb386f35b4be2b04be50

SHA512
19088141aa48e1bb74202d09751006fa9182568750caa7e3132169c66c9fee4a784cb1139c954b1c940f9578cfa51be7474c09780cc6fda3022e69eeec9c21d9

Download Submit
C:\Temp\0VK5IQH2\2\plugins\0\CustomUI.dll

Filesize
344KB

MD5
04eecd03af7eafb84b6581a5b37d275e

SHA1
3351059d04a2e9f9f0a3719083eeda03dab0f124

SHA256
39ba967edebb288f921c37348d7c21b05e3af40033e0eb386f35b4be2b04be50

SHA512
19088141aa48e1bb74202d09751006fa9182568750caa7e3132169c66c9fee4a784cb1139c954b1c940f9578cfa51be7474c09780cc6fda3022e69eeec9c21d9

Download Submit
C:\Temp\0VK5IQH2\unpack.dll

Filesize
34KB

MD5
705aa1dc6f5fb72a2182ffd2c95bfa2e

SHA1
08de4589e01d3f0f589209baf8b669fae04b5875

SHA256
ec8361e43f0f83d0da13261718b8791e5517375fce67b4055d390353a5b2ca00

SHA512
5d00edf396efc5c130e1e7071fe027afaaa35d4d746441a1f0e0736c4828941e55e49f5319f5c1739bd75d2b5e03504d59284b2754430e0053e3f8d5f2702e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
296KB

MD5
0d52e0a349759ad3c5187c7977c90c29

SHA1
3dec01284642a30dfd5912c81036de52202862f7

SHA256
a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4

SHA512
66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
296KB

MD5
0d52e0a349759ad3c5187c7977c90c29

SHA1
3dec01284642a30dfd5912c81036de52202862f7

SHA256
a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4

SHA512
66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
296KB

MD5
0d52e0a349759ad3c5187c7977c90c29

SHA1
3dec01284642a30dfd5912c81036de52202862f7

SHA256
a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4

SHA512
66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
877KB

MD5
6da200844baa9ce4f9952e48eefced54

SHA1
d245932e01f8a4d55383c602d06a0116752d5619

SHA256
a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273

SHA512
d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
877KB

MD5
6da200844baa9ce4f9952e48eefced54

SHA1
d245932e01f8a4d55383c602d06a0116752d5619

SHA256
a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273

SHA512
d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/212-142-0x0000000002300000-0x0000000002327000-memory.dmp

Filesize
156KB

Download
memory/212-143-0x0000000002301000-0x000000000231E000-memory.dmp

Filesize
116KB

Download
memory/212-156-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/212-154-0x0000000002B70000-0x0000000002BCC000-memory.dmp

Filesize
368KB

Download
memory/212-151-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1292-132-0x00007FFBFD270000-0x00007FFBFDCA6000-memory.dmp

Filesize
10.2MB

Download
memory/3748-150-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3748-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3748-148-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3748-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download