isrstealer | 201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe
Size

929KB
MD5

577da7e578bc7f6457c7d3b5addcd380
SHA1

5aae15674a8f3bf5c26e66e5ed974a96a946c723
SHA256

201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e
SHA512

aecbab2bd16b9c78a9de3f5527a2be71a008db3cd8679b5d80f6a69e90b2c61c1d76817117c997909d4123ee6a2a579a8c52df20a8e4c6675649cb34208eece6
SSDEEP

24576:LNBI5aehOqLefJYBnOuu68GGUEtsh7N1Qq2j:U7hDLefJaOV68OX4j

Score

10^/10

isrstealer collection evasion persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 9 IoCs

resource	yara_rule
behavioral1/memory/1952-67-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1952-68-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1952-82-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1952-95-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1492-107-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1492-122-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1492-133-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1952-143-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1952-157-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1900-93-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1900-94-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1576-131-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1576-132-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1100-175-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 5 IoCs

resource	yara_rule
behavioral1/memory/1900-93-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1900-94-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1576-131-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1576-132-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1100-175-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
1456	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
1592	JMpbiEfXrrXD.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/472-74-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/472-78-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/472-80-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/472-81-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/472-83-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/472-84-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1900-86-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1900-90-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1900-92-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1900-93-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1900-94-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1348-117-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1348-119-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1348-120-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1348-121-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1576-128-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1576-130-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1576-131-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1576-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1892-153-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1892-155-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1892-156-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1892-158-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1100-175-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe
1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe
1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe
1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe
316	WScript.exe
1820	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	JMpbiEfXrrXD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\c794iancyy78 = "C:\\Users\\Admin\\c794iancyy78\\57076.vbs"	JMpbiEfXrrXD.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	JMpbiEfXrrXD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\c794iancyy78 = "C:\\Users\\Admin\\c794iancyy78\\57076.vbs"	JMpbiEfXrrXD.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	JMpbiEfXrrXD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\c794iancyy78 = "C:\\Users\\Admin\\c794iancyy78\\57076.vbs"	JMpbiEfXrrXD.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JMpbiEfXrrXD.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JMpbiEfXrrXD.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JMpbiEfXrrXD.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 1952	1456	JMpbiEfXrrXD.exe	29
PID 1952 set thread context of 472	1952	RegSvcs.exe	30
PID 1952 set thread context of 1900	1952	RegSvcs.exe	31
PID 804 set thread context of 1492	804	JMpbiEfXrrXD.exe	34
PID 1492 set thread context of 1348	1492	RegSvcs.exe	35
PID 1492 set thread context of 1576	1492	RegSvcs.exe	38
PID 1592 set thread context of 1952	1592	JMpbiEfXrrXD.exe	41
PID 1952 set thread context of 1892	1952	RegSvcs.exe	42
PID 1952 set thread context of 1100	1952	RegSvcs.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
1456	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe
804	JMpbiEfXrrXD.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1456	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	804	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe
Token: SeDebugPrivilege	1592	JMpbiEfXrrXD.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1952	RegSvcs.exe
1492	RegSvcs.exe
1952	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1456	1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe	28
PID 1280 wrote to memory of 1456	1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe	28
PID 1280 wrote to memory of 1456	1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe	28
PID 1280 wrote to memory of 1456	1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe	28
PID 1280 wrote to memory of 1456	1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe	28
PID 1280 wrote to memory of 1456	1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe	28
PID 1280 wrote to memory of 1456	1280	201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe	28
PID 1456 wrote to memory of 1952	1456	JMpbiEfXrrXD.exe	29
PID 1456 wrote to memory of 1952	1456	JMpbiEfXrrXD.exe	29
PID 1456 wrote to memory of 1952	1456	JMpbiEfXrrXD.exe	29
PID 1456 wrote to memory of 1952	1456	JMpbiEfXrrXD.exe	29
PID 1456 wrote to memory of 1952	1456	JMpbiEfXrrXD.exe	29
PID 1456 wrote to memory of 1952	1456	JMpbiEfXrrXD.exe	29
PID 1456 wrote to memory of 1952	1456	JMpbiEfXrrXD.exe	29
PID 1456 wrote to memory of 1952	1456	JMpbiEfXrrXD.exe	29
PID 1456 wrote to memory of 1952	1456	JMpbiEfXrrXD.exe	29
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 472	1952	RegSvcs.exe	30
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1952 wrote to memory of 1900	1952	RegSvcs.exe	31
PID 1456 wrote to memory of 316	1456	JMpbiEfXrrXD.exe	32
PID 1456 wrote to memory of 316	1456	JMpbiEfXrrXD.exe	32
PID 1456 wrote to memory of 316	1456	JMpbiEfXrrXD.exe	32
PID 1456 wrote to memory of 316	1456	JMpbiEfXrrXD.exe	32
PID 1456 wrote to memory of 316	1456	JMpbiEfXrrXD.exe	32
PID 1456 wrote to memory of 316	1456	JMpbiEfXrrXD.exe	32
PID 1456 wrote to memory of 316	1456	JMpbiEfXrrXD.exe	32
PID 316 wrote to memory of 804	316	WScript.exe	33
PID 316 wrote to memory of 804	316	WScript.exe	33
PID 316 wrote to memory of 804	316	WScript.exe	33
PID 316 wrote to memory of 804	316	WScript.exe	33
PID 316 wrote to memory of 804	316	WScript.exe	33
PID 316 wrote to memory of 804	316	WScript.exe	33
PID 316 wrote to memory of 804	316	WScript.exe	33
PID 804 wrote to memory of 1492	804	JMpbiEfXrrXD.exe	34
PID 804 wrote to memory of 1492	804	JMpbiEfXrrXD.exe	34
PID 804 wrote to memory of 1492	804	JMpbiEfXrrXD.exe	34
PID 804 wrote to memory of 1492	804	JMpbiEfXrrXD.exe	34
PID 804 wrote to memory of 1492	804	JMpbiEfXrrXD.exe	34
PID 804 wrote to memory of 1492	804	JMpbiEfXrrXD.exe	34
PID 804 wrote to memory of 1492	804	JMpbiEfXrrXD.exe	34
PID 804 wrote to memory of 1492	804	JMpbiEfXrrXD.exe	34
PID 804 wrote to memory of 1492	804	JMpbiEfXrrXD.exe	34
PID 1492 wrote to memory of 1348	1492	RegSvcs.exe	35

C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe
"C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
  "C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe" mtxFlv.DIN
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\8vw8Z9vTzr.ini"
      4⤵
      PID:472
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\LW6wqIAnOV.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\C794IA~1\run.vbs"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
      "C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe" mtxFlv.DIN
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\7k29Zy1S4R.ini"
        6⤵
        
        PID:1348
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\cR7UMEvs4j.ini"
        6⤵
        Accesses Microsoft Outlook accounts
        
        PID:1576
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\C794IA~1\run.vbs"
        5⤵
        Loads dropped DLL
        
        PID:1820
      - C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
        
        "C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe" mtxFlv.DIN
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\njCMlq1gjP.ini"
        8⤵
        
        PID:1892
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Mf4sZavbm5.ini"
        8⤵
        Accesses Microsoft Outlook accounts
        
        PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
6f59ed058aa06aaf5ec6213b955aabd4

SHA1
baf7b828a563b8fb6111e4ce35e0055575ad80b4

SHA256
2d82e2629fa2e08f28b43b15da43dff56c7f4b23b39d66109c7c61998e35b4d5

SHA512
6b0f041dafb98b9eaf70ac0d20a98c56e1c42231c4a4ae6e11582b20d20bf8f96dfd7747739a10d77368994441adb0e181b356f8569697b1f22ab4fe931170ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
0698dbc93ba7b6bef73ba316695f8317

SHA1
a444078ff1eb7c88f52cb4e324365926b491ed47

SHA256
263292040d77903899257c1d21201dc64d6f8d6b5a1d945cd5b28d0124d7906c

SHA512
ebacaa7009aebb88199cd70fd0bb3afe69ed300318cb633edd1c0404e42aef829617f589bcbad6cb7ab4bd0a8ae87f7df1435c786184ecc5de61c8fc6950a900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
952173ff1855723f2f4e5c282844b5e5

SHA1
6b1d0ccf8cc2c1e39ce78ed7ad8e531a14be50d2

SHA256
c577344517d26b9aeda2b9f547de6aac7e8373e37791f2c640755429c3a8356c

SHA512
11eea3173f221d19d5d05eaa0f3e3aacfba5a7806df0475ec9c95ebc8bd6658db4eb2eea0022e2767bd07a941de698ba4ac73346308b74b4ea17b0afa596620d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85735e5f1bf0aac778861db816de4248

SHA1
6c7908563c40f9676fb1312e753f0dbb7869fe46

SHA256
ab0ac690956356bcdd0e58a3099ddeee7b93ce3cdb66362025518be456774dfb

SHA512
be239460ded5dd02ef397143c25ce069182004993f2d864369c483da0cf396bbd9d09f9c2c7ccae91e5d4546081b2b7bbf1fea49ce65c4eec7eb643ca32fe144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
fb420faf1a8060e26787c59802035b4e

SHA1
1f522ff9cb2a5f78e1321e0b888127184b585114

SHA256
7ff1d04af52b1251b58e4d018ddcacb0a1621b2c41e6f2f24b6105fbb5fa4ae6

SHA512
8a2404f6396e7b4125e1bf6da5f094c6960d7b2143bc450a2c3f70fbf25e4966dee3b858132cc9604628bfeaa93aec723f516dcfaa9a9c39ea797ad18722e0af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7k29Zy1S4R.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8vw8Z9vTzr.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\njCMlq1gjP.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\C794IA~1\NCEyjI.FUL

Filesize
260KB

MD5
38da5a8f4795f1773e399a47d2a4f5f0

SHA1
db243b8afeeb1a8e917e882179bbbb8fd38c2cd1

SHA256
51fde7624aacae5d06a01127c17a83095b82c514d80ef332c1b7ac0ed282536f

SHA512
58b0cbaa4047d4a9ae91c8fb3d1a9b9c48192e75c95248a9f0320fdab69896548a03349c238d6191bd19d6a176778c13c542db2ee1bf66d6320e93eb452c8219

Download Submit
C:\Users\Admin\C794IA~1\hztwzQgTDNh.BNB

Filesize
145B

MD5
8073adab69cdd3df4c6507b7abc36da0

SHA1
daf374b7ef1fd2099f1cd3bd34b445947be36bd2

SHA256
7abeaf9caa0d821556de8a7eccedf0779cbe84fb6c4f9b2042abde42ee152ab2

SHA512
457dd38ecd277e717423bcce11129b0fbcacd2d5baa4e0d0cf7b7a090b6360027c90657b120f790680d10de931efce9c61f63573984bc854b41fe9c9dd46ad37

Download Submit
C:\Users\Admin\C794IA~1\run.vbs

Filesize
95B

MD5
82ba923c8e5bc5c33edbdfde4d0906ff

SHA1
5cf7b2e9f48d5d6a6b927c1972037cce7f20f1c1

SHA256
1848f5da2d881bba471623052e7e1f1aeac1b4f0d29d8e8124440def4d97231d

SHA512
15ac03b84f06a2f0c35e2d75ea027a11371ae1c2bbef761998f9381080b7b0858c500db8d32239a691f6490745206cf6a2dd3cb345030684e3152145ac425f96

Download Submit
C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\c794iancyy78\mtxFlv.DIN

Filesize
34.3MB

MD5
509beeb65de89099db6d1e8c01da920a

SHA1
b8cb9b4afe15abf52221f4024e6aef925d7752f1

SHA256
475a6827e54a04b4e38f929e4fd01ca95015949a3ca64ab12db2e5fe471c5d10

SHA512
c47efc14e990ec15d13ef3ab2c10fc89fc24e5051abd802b517d623fee5604b8c76e223d30d7b84ff647ce5ceb50921b5b3f1fb9ab52a32220ab7117356c55a5

Download Submit
\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
memory/472-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/472-84-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/472-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/472-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/472-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/472-74-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1100-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1348-117-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1348-119-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1348-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1348-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1492-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1492-122-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1576-128-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1892-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1892-156-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1892-158-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1892-155-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1900-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1900-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1900-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1900-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1900-94-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download