isrstealer | 2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f

General

Target

2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe
Size

156KB
MD5

8115772851e1fdcf57a48d4b8d4c12fe
SHA1

35da657f12a22c2bb8773ba0a4e3e8dff0af4e53
SHA256

2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f
SHA512

406d7268d5ddd7d9a964a4acd6fa8c39e15d3465b55192c3c768dafccfb2fb5dc689c5ccf73dd31acc44329c9c227b77e32c8eebb56ca7c4b7bc248e25e890db
SSDEEP

3072:M1wyHU/zhrXhGoFwrTgj7obINT3guCvp3BMs:MIzhrXhGoyrMPobUT3LCvp3BM

Score

10^/10

isrstealer bootkit persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 7 IoCs

resource	yara_rule
behavioral2/memory/4928-134-0x0000000000000000-mapping.dmp	family_isrstealer
behavioral2/memory/4928-135-0x0000000000400000-0x000000000040F000-memory.dmp	family_isrstealer
behavioral2/memory/4928-141-0x0000000000400000-0x000000000040F000-memory.dmp	family_isrstealer
behavioral2/memory/4928-146-0x0000000000400000-0x000000000040F000-memory.dmp	family_isrstealer
behavioral2/memory/2988-148-0x0000000000000000-mapping.dmp	family_isrstealer
behavioral2/memory/2988-154-0x0000000000400000-0x000000000040F000-memory.dmp	family_isrstealer
behavioral2/memory/2988-155-0x0000000000400000-0x000000000040F000-memory.dmp	family_isrstealer

Executes dropped EXE 2 IoCs

pid	Process
4648	service.exe
2988	service.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service.exe = "C:\\Users\\Admin\\AppData\\Roaming\\service.exe"	service.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\service.exe = "C:\\Users\\Admin\\AppData\\Roaming\\service.exe"	service.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe
File opened for modification	\??\PhysicalDrive0	service.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 400 set thread context of 4928	400	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	82
PID 4648 set thread context of 2988	4648	service.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
228	2988	WerFault.exe	86

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
400	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe
4928	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe
4648	service.exe
2988	service.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4928	400	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	82
PID 400 wrote to memory of 4928	400	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	82
PID 400 wrote to memory of 4928	400	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	82
PID 400 wrote to memory of 4928	400	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	82
PID 400 wrote to memory of 4928	400	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	82
PID 400 wrote to memory of 4928	400	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	82
PID 400 wrote to memory of 4928	400	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	82
PID 400 wrote to memory of 4928	400	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	82
PID 4928 wrote to memory of 1256	4928	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	83
PID 4928 wrote to memory of 1256	4928	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	83
PID 4928 wrote to memory of 1256	4928	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	83
PID 4928 wrote to memory of 4648	4928	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	85
PID 4928 wrote to memory of 4648	4928	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	85
PID 4928 wrote to memory of 4648	4928	2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe	85
PID 4648 wrote to memory of 2988	4648	service.exe	86
PID 4648 wrote to memory of 2988	4648	service.exe	86
PID 4648 wrote to memory of 2988	4648	service.exe	86
PID 4648 wrote to memory of 2988	4648	service.exe	86
PID 4648 wrote to memory of 2988	4648	service.exe	86
PID 4648 wrote to memory of 2988	4648	service.exe	86
PID 4648 wrote to memory of 2988	4648	service.exe	86
PID 4648 wrote to memory of 2988	4648	service.exe	86

C:\Users\Admin\AppData\Local\Temp\2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe
"C:\Users\Admin\AppData\Local\Temp\2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe
  "C:\Users\Admin\AppData\Local\Temp\2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\melt1.bat
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Roaming\service.exe
    "C:\Users\Admin\AppData\Roaming\service.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Users\Admin\AppData\Roaming\service.exe
      "C:\Users\Admin\AppData\Roaming\service.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:2988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 764
        5⤵
        Program crash
        
        PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2988 -ip 2988
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt1.bat

Filesize
321B

MD5
51780a39adb02e48591523154ae6a7f7

SHA1
5ba0cb2b0e85d8d06f419c1ead882a391bebfdfd

SHA256
60c5462d2b7b8f1a46fa174d435a57df6cd0fd4a7963139debd8870379185e40

SHA512
516fb0be17358c5ea3c602e12ec52e63474abc739f1d12df015d09c70247195f0e462e937a0341d46377ee025b212f3c96cb051e73549b9e8a7ac6908c3f7b3d

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
156KB

MD5
8115772851e1fdcf57a48d4b8d4c12fe

SHA1
35da657f12a22c2bb8773ba0a4e3e8dff0af4e53

SHA256
2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f

SHA512
406d7268d5ddd7d9a964a4acd6fa8c39e15d3465b55192c3c768dafccfb2fb5dc689c5ccf73dd31acc44329c9c227b77e32c8eebb56ca7c4b7bc248e25e890db

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
156KB

MD5
8115772851e1fdcf57a48d4b8d4c12fe

SHA1
35da657f12a22c2bb8773ba0a4e3e8dff0af4e53

SHA256
2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f

SHA512
406d7268d5ddd7d9a964a4acd6fa8c39e15d3465b55192c3c768dafccfb2fb5dc689c5ccf73dd31acc44329c9c227b77e32c8eebb56ca7c4b7bc248e25e890db

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
156KB

MD5
8115772851e1fdcf57a48d4b8d4c12fe

SHA1
35da657f12a22c2bb8773ba0a4e3e8dff0af4e53

SHA256
2adb40401a2e732139725aff2a4dc3e8b3ad8c08c197c1bb73313ee5a1539b9f

SHA512
406d7268d5ddd7d9a964a4acd6fa8c39e15d3465b55192c3c768dafccfb2fb5dc689c5ccf73dd31acc44329c9c227b77e32c8eebb56ca7c4b7bc248e25e890db

Download Submit
memory/2988-154-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2988-155-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4928-141-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4928-135-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4928-146-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing