isrstealer | 6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7

Analysis

max time kernel
154s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
Size

497KB
MD5

d6c276c413f1fe6213b92c21e8fb7085
SHA1

2d991d11879b6ee17db772e6d3f4eeab41f30d30
SHA256

6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7
SHA512

1f9723277c594f12aba942566eb57b653ffe1837482bc37645e11e0042b0a3275e5984f66abb6b51e885964f446aabdd785ab80a4f0f9f93f803bd3c3fcba6f2
SSDEEP

12288:I4/almoWQ9H+3n3yGVcRmrp8sfA1vIgMlfNn3jGv2/:NyhO9VcuisfA1vIVF3R/

Score

10^/10

isrstealer stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 1 IoCs

resource	yara_rule
behavioral2/memory/5084-137-0x0000000000770000-0x00000000007B2000-memory.dmp	family_isrstealer

Executes dropped EXE 3 IoCs

pid	Process
1320	natsv.exe
820	dnsmon.exe
812	natsv.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	natsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dnsmon.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3292 set thread context of 5084	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	88
PID 820 set thread context of 3328	820	dnsmon.exe	99

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
1320	natsv.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
1320	natsv.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
1320	natsv.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
1320	natsv.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
1320	natsv.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
1320	natsv.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
1320	natsv.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
1320	natsv.exe
1320	natsv.exe
3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe
812	natsv.exe
820	dnsmon.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
Token: SeDebugPrivilege	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
Token: SeDebugPrivilege	1320	natsv.exe
Token: SeDebugPrivilege	820	dnsmon.exe
Token: SeDebugPrivilege	820	dnsmon.exe
Token: SeDebugPrivilege	812	natsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 2064	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	86
PID 3292 wrote to memory of 2064	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	86
PID 3292 wrote to memory of 2064	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	86
PID 3292 wrote to memory of 5084	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	88
PID 3292 wrote to memory of 5084	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	88
PID 3292 wrote to memory of 5084	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	88
PID 3292 wrote to memory of 5084	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	88
PID 3292 wrote to memory of 5084	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	88
PID 3292 wrote to memory of 5084	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	88
PID 3292 wrote to memory of 5084	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	88
PID 3292 wrote to memory of 5084	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	88
PID 3292 wrote to memory of 5004	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	89
PID 3292 wrote to memory of 5004	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	89
PID 3292 wrote to memory of 5004	3292	6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe	89
PID 5004 wrote to memory of 1320	5004	cmd.exe	91
PID 5004 wrote to memory of 1320	5004	cmd.exe	91
PID 5004 wrote to memory of 1320	5004	cmd.exe	91
PID 1320 wrote to memory of 1808	1320	natsv.exe	92
PID 1320 wrote to memory of 1808	1320	natsv.exe	92
PID 1320 wrote to memory of 1808	1320	natsv.exe	92
PID 1808 wrote to memory of 3608	1808	cmd.exe	94
PID 1808 wrote to memory of 3608	1808	cmd.exe	94
PID 1808 wrote to memory of 3608	1808	cmd.exe	94
PID 1320 wrote to memory of 820	1320	natsv.exe	97
PID 1320 wrote to memory of 820	1320	natsv.exe	97
PID 1320 wrote to memory of 820	1320	natsv.exe	97
PID 820 wrote to memory of 3328	820	dnsmon.exe	99
PID 820 wrote to memory of 3328	820	dnsmon.exe	99
PID 820 wrote to memory of 3328	820	dnsmon.exe	99
PID 820 wrote to memory of 3328	820	dnsmon.exe	99
PID 820 wrote to memory of 3328	820	dnsmon.exe	99
PID 820 wrote to memory of 3328	820	dnsmon.exe	99
PID 820 wrote to memory of 3328	820	dnsmon.exe	99
PID 820 wrote to memory of 3328	820	dnsmon.exe	99
PID 820 wrote to memory of 2040	820	dnsmon.exe	100
PID 820 wrote to memory of 2040	820	dnsmon.exe	100
PID 820 wrote to memory of 2040	820	dnsmon.exe	100
PID 2040 wrote to memory of 812	2040	cmd.exe	102
PID 2040 wrote to memory of 812	2040	cmd.exe	102
PID 2040 wrote to memory of 812	2040	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe
"C:\Users\Admin\AppData\Local\Temp\6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:5084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
        5⤵
        
        PID:3608
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        5⤵
        
        PID:3328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\natsv.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe

Filesize
497KB

MD5
d6c276c413f1fe6213b92c21e8fb7085

SHA1
2d991d11879b6ee17db772e6d3f4eeab41f30d30

SHA256
6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7

SHA512
1f9723277c594f12aba942566eb57b653ffe1837482bc37645e11e0042b0a3275e5984f66abb6b51e885964f446aabdd785ab80a4f0f9f93f803bd3c3fcba6f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe

Filesize
497KB

MD5
d6c276c413f1fe6213b92c21e8fb7085

SHA1
2d991d11879b6ee17db772e6d3f4eeab41f30d30

SHA256
6e540cf9eee4ad60a985bbaa05c31d20e96c33cde02ca2fdedc8893524894ad7

SHA512
1f9723277c594f12aba942566eb57b653ffe1837482bc37645e11e0042b0a3275e5984f66abb6b51e885964f446aabdd785ab80a4f0f9f93f803bd3c3fcba6f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe

Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe

Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe

Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe

Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
514B

MD5
9ea4654b54e6522e9d8fb0d1743c62af

SHA1
a874a55b86985f48787637096dfd9286b9ee0601

SHA256
d133a6e443c86364b0697f3d0362d336c551e064195043b880df5547ecbf851b

SHA512
53dfa6038a33ac89520a23aab5f98e2e966117d277db38a2e7550d8aca4f1030823062d3fb2533ebbb55fd0dcbceb1a4dafbc92a024dac11357c782d47942841

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
514B

MD5
9ea4654b54e6522e9d8fb0d1743c62af

SHA1
a874a55b86985f48787637096dfd9286b9ee0601

SHA256
d133a6e443c86364b0697f3d0362d336c551e064195043b880df5547ecbf851b

SHA512
53dfa6038a33ac89520a23aab5f98e2e966117d277db38a2e7550d8aca4f1030823062d3fb2533ebbb55fd0dcbceb1a4dafbc92a024dac11357c782d47942841

Download Submit
memory/812-165-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/812-163-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/820-149-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/820-164-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1320-150-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1320-145-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3292-133-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3292-132-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3292-151-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5084-137-0x0000000000770000-0x00000000007B2000-memory.dmp

Filesize
264KB

Download