isrstealer | 2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393

Analysis

max time kernel
82s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393.exe
Size

882KB
MD5

b6de2482b98fce903d3692d9c0160ef2
SHA1

53d6ffc6c70417c12c67108e68a068d01dc31065
SHA256

2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393
SHA512

03fbba2e5e174f105ef70e53824c2a18fc82c49ce7469929a6904be3b98fd151e1c9587a429bb5ba42e4abd50515bdaf7aeb1c495db79e50f8e42328770e44bc
SSDEEP

12288:itdhEsXr70C7yHybdfMoclgKYEu9dbJE8arAVycIjtx9RwJ01WPbU7NI51u/33E0:+dh1797tR2gKU68alckZQ9z1Cwolt5

Score

10^/10

isrstealer collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4768-145-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4768-147-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4768-156-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4768-164-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/680-162-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/680-163-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/memory/680-162-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/680-163-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
4476	AutoIt3-4079.exe
4572	AutoIt3-4079.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3508-151-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3508-153-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3508-154-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3508-155-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/680-159-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/680-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/680-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/680-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4572 set thread context of 4768	4572	AutoIt3-4079.exe	87
PID 4768 set thread context of 3508	4768	RegSvcs.exe	88
PID 4768 set thread context of 680	4768	RegSvcs.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4768	RegSvcs.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 1888	4980	2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393.exe	84
PID 4980 wrote to memory of 1888	4980	2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393.exe	84
PID 4980 wrote to memory of 1888	4980	2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393.exe	84
PID 1888 wrote to memory of 4476	1888	WScript.exe	85
PID 1888 wrote to memory of 4476	1888	WScript.exe	85
PID 1888 wrote to memory of 4476	1888	WScript.exe	85
PID 4476 wrote to memory of 4572	4476	AutoIt3-4079.exe	86
PID 4476 wrote to memory of 4572	4476	AutoIt3-4079.exe	86
PID 4476 wrote to memory of 4572	4476	AutoIt3-4079.exe	86
PID 4572 wrote to memory of 4768	4572	AutoIt3-4079.exe	87
PID 4572 wrote to memory of 4768	4572	AutoIt3-4079.exe	87
PID 4572 wrote to memory of 4768	4572	AutoIt3-4079.exe	87
PID 4572 wrote to memory of 4768	4572	AutoIt3-4079.exe	87
PID 4572 wrote to memory of 4768	4572	AutoIt3-4079.exe	87
PID 4768 wrote to memory of 3508	4768	RegSvcs.exe	88
PID 4768 wrote to memory of 3508	4768	RegSvcs.exe	88
PID 4768 wrote to memory of 3508	4768	RegSvcs.exe	88
PID 4768 wrote to memory of 3508	4768	RegSvcs.exe	88
PID 4768 wrote to memory of 3508	4768	RegSvcs.exe	88
PID 4768 wrote to memory of 3508	4768	RegSvcs.exe	88
PID 4768 wrote to memory of 3508	4768	RegSvcs.exe	88
PID 4768 wrote to memory of 3508	4768	RegSvcs.exe	88
PID 4768 wrote to memory of 680	4768	RegSvcs.exe	90
PID 4768 wrote to memory of 680	4768	RegSvcs.exe	90
PID 4768 wrote to memory of 680	4768	RegSvcs.exe	90
PID 4768 wrote to memory of 680	4768	RegSvcs.exe	90
PID 4768 wrote to memory of 680	4768	RegSvcs.exe	90
PID 4768 wrote to memory of 680	4768	RegSvcs.exe	90
PID 4768 wrote to memory of 680	4768	RegSvcs.exe	90
PID 4768 wrote to memory of 680	4768	RegSvcs.exe	90

C:\Users\Admin\AppData\Local\Temp\2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393.exe
"C:\Users\Admin\AppData\Local\Temp\2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\CNHRO\run.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\CNHRO\AutoIt3-4079.exe
    "C:\Users\Admin\CNHRO\AutoIt3-4079.exe" 318196.dat
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\CNHRO\AutoIt3-4079.exe
      AutoIt3-4079.exe EYVVFJMY.dat
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4768
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\hcaye5cu1g.ini"
        6⤵
        
        PID:3508
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Nn5UfSmhOO.ini"
        6⤵
        Accesses Microsoft Outlook accounts
        
        PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hcaye5cu1g.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\CNHRO\318196.dat

Filesize
3.6MB

MD5
a2cd599138665c5e9ee496357bd2e58a

SHA1
647cbf3d81d594590efe03fbf60f7eda05c2fa2f

SHA256
aeeb66086166d68c9e2d08bfdcbd5c32c1566f4019efd1a530121585c3c0f168

SHA512
eef51998dec27418df9ada527914d823d047a88cd3b066f94ebe3adb008889d7ca75e54cdce28fbdf1d775873b61f26b05ee57bf9da80e0d7be375ba0309e4a2

Download Submit
C:\Users\Admin\CNHRO\332136.dat

Filesize
260KB

MD5
093c324e68cbb8bc44b9e6a4e8c4cf6c

SHA1
e127e98a51538420dd823d726ee143584cf0aca7

SHA256
eedc0bd0c5fdab6cca78ddfc9c081076dbb09f4408a1604d2af0d7912cf88f05

SHA512
c74eb71ba0e098059fa14c37dacbb425c44b500b0418aebd1803aef5f2cbc85015b969354c8c6a0e74eb8131f03a7600306bec4abf7cf9d55e676236736bf29a

Download Submit
C:\Users\Admin\CNHRO\497271.dat

Filesize
25KB

MD5
5ee5144e5ed4b5866efc1154509a8934

SHA1
3eca43cd0c8bba3c4599b738bdbbb20f89439b49

SHA256
fe717269010d36f1b69d0689841eabc301cc18da6921d2eef8221b63f3733e43

SHA512
42099be5a9740947ee19252d09fa493e34b0cbdbc266be93fecbbb0c034f2a32cca7cb0cbb126949b8deb469c8bb31f448a8987d86bfc3fb1702a90f0585bb93

Download Submit
C:\Users\Admin\CNHRO\AutoIt3-4079.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\CNHRO\AutoIt3-4079.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\CNHRO\AutoIt3-4079.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\CNHRO\EYVVFJMY.dat

Filesize
25KB

MD5
327d7da1fb77f05b9ec59f08df90d6d0

SHA1
63b5c37aef582bd320d33e33f4bb69716b5fdca5

SHA256
562fd103d177f14a973a23cc07dc679b008b80f933059b9c6ea6466a2bca2ebb

SHA512
296b210dda77360c1edfc08c8bdcc8098febb2454a6e8f58e36214ba6d8aaa1e22e31c1ca5c0eca45041383743d2fbc9fb536f1dc28a015509e73a9d745b5377

Download Submit
C:\Users\Admin\CNHRO\run.vbs

Filesize
63B

MD5
dbd84a94ae505a5ece3108a6de53161e

SHA1
a3f2a48b67de94d7a49ac9ef3dd23d1c1d3df4ce

SHA256
d0500f159f93f27b4f39c57eed8bb076d3906f6d7bbc8ad7082c801b3b24d168

SHA512
c4fc9c48570cfcf4a4f088513076c0934abd1738139e5f441f48df481f98fd5f4fb1dfa4557f6a0851e6c52b6e57d70248650593d78460202f5bbbcbf767274a

Download Submit
C:\Users\Admin\CNHRO\settings.ini

Filesize
103B

MD5
ee3d0f1203aad6c23f80ec36ea3696d3

SHA1
43bac47bd25876670f66f7f52ff1540165bef95a

SHA256
44a4dbdce6ba9d5caa4794ce67e7a9f6813c9d8486fe9b06495b33459b7cd17b

SHA512
82b08bfccb0a16c00f5071a77a0a930fcab35c98cb661762d851c8825ca96fbb7f1904a74f878d1720787754b20b4d04c02597a9b8f70790e39dcb8843f3c25f

Download Submit
memory/680-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/680-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/680-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/680-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3508-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3508-154-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3508-155-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3508-151-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4768-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download