Overview

overview

10

Static

static

TT Copy.exe

windows7-x64

10

TT Copy.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TT Copy.exe

  • Size

    882KB

  • MD5

    b6de2482b98fce903d3692d9c0160ef2

  • SHA1

    53d6ffc6c70417c12c67108e68a068d01dc31065

  • SHA256

    2c34e7bd53c5880be9898396ead603f70536254c468584b500d8a2e8acf44393

  • SHA512

    03fbba2e5e174f105ef70e53824c2a18fc82c49ce7469929a6904be3b98fd151e1c9587a429bb5ba42e4abd50515bdaf7aeb1c495db79e50f8e42328770e44bc

  • SSDEEP

    12288:itdhEsXr70C7yHybdfMoclgKYEu9dbJE8arAVycIjtx9RwJ01WPbU7NI51u/33E0:+dh1797tR2gKU68alckZQ9z1Cwolt5

Score
10/10
isrstealercollectionstealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Nirsoft 2 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TT Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\TT Copy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\CNHRO\run.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Users\Admin\CNHRO\AutoIt3-4079.exe
        "C:\Users\Admin\CNHRO\AutoIt3-4079.exe" 318196.dat
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Users\Admin\CNHRO\AutoIt3-4079.exe
          AutoIt3-4079.exe QCLVVEIO.dat
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:444
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\GlnXRFSI6k.ini"
              6⤵
                PID:4720
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 80
                  7⤵
                  • Program crash
                  PID:2244
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\L24XZdfmyH.ini"
                6⤵
                • Accesses Microsoft Outlook accounts
                PID:3424
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4720 -ip 4720
      1⤵
        PID:4068

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\CNHRO\318196.dat
        Filesize

        3.6MB

        MD5

        a2cd599138665c5e9ee496357bd2e58a

        SHA1

        647cbf3d81d594590efe03fbf60f7eda05c2fa2f

        SHA256

        aeeb66086166d68c9e2d08bfdcbd5c32c1566f4019efd1a530121585c3c0f168

        SHA512

        eef51998dec27418df9ada527914d823d047a88cd3b066f94ebe3adb008889d7ca75e54cdce28fbdf1d775873b61f26b05ee57bf9da80e0d7be375ba0309e4a2

        Download Submit

      • C:\Users\Admin\CNHRO\332136.dat
        Filesize

        260KB

        MD5

        093c324e68cbb8bc44b9e6a4e8c4cf6c

        SHA1

        e127e98a51538420dd823d726ee143584cf0aca7

        SHA256

        eedc0bd0c5fdab6cca78ddfc9c081076dbb09f4408a1604d2af0d7912cf88f05

        SHA512

        c74eb71ba0e098059fa14c37dacbb425c44b500b0418aebd1803aef5f2cbc85015b969354c8c6a0e74eb8131f03a7600306bec4abf7cf9d55e676236736bf29a

        Download Submit

      • C:\Users\Admin\CNHRO\497271.dat
        Filesize

        25KB

        MD5

        5ee5144e5ed4b5866efc1154509a8934

        SHA1

        3eca43cd0c8bba3c4599b738bdbbb20f89439b49

        SHA256

        fe717269010d36f1b69d0689841eabc301cc18da6921d2eef8221b63f3733e43

        SHA512

        42099be5a9740947ee19252d09fa493e34b0cbdbc266be93fecbbb0c034f2a32cca7cb0cbb126949b8deb469c8bb31f448a8987d86bfc3fb1702a90f0585bb93

        Download Submit

      • C:\Users\Admin\CNHRO\AutoIt3-4079.exe
        Filesize

        732KB

        MD5

        71d8f6d5dc35517275bc38ebcc815f9f

        SHA1

        cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

        SHA256

        fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

        SHA512

        4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

        Download Submit

      • C:\Users\Admin\CNHRO\AutoIt3-4079.exe
        Filesize

        732KB

        MD5

        71d8f6d5dc35517275bc38ebcc815f9f

        SHA1

        cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

        SHA256

        fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

        SHA512

        4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

        Download Submit

      • C:\Users\Admin\CNHRO\AutoIt3-4079.exe
        Filesize

        732KB

        MD5

        71d8f6d5dc35517275bc38ebcc815f9f

        SHA1

        cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

        SHA256

        fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

        SHA512

        4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

        Download Submit

      • C:\Users\Admin\CNHRO\QCLVVEIO.dat
        Filesize

        25KB

        MD5

        327d7da1fb77f05b9ec59f08df90d6d0

        SHA1

        63b5c37aef582bd320d33e33f4bb69716b5fdca5

        SHA256

        562fd103d177f14a973a23cc07dc679b008b80f933059b9c6ea6466a2bca2ebb

        SHA512

        296b210dda77360c1edfc08c8bdcc8098febb2454a6e8f58e36214ba6d8aaa1e22e31c1ca5c0eca45041383743d2fbc9fb536f1dc28a015509e73a9d745b5377

        Download Submit

      • C:\Users\Admin\CNHRO\run.vbs
        Filesize

        63B

        MD5

        dbd84a94ae505a5ece3108a6de53161e

        SHA1

        a3f2a48b67de94d7a49ac9ef3dd23d1c1d3df4ce

        SHA256

        d0500f159f93f27b4f39c57eed8bb076d3906f6d7bbc8ad7082c801b3b24d168

        SHA512

        c4fc9c48570cfcf4a4f088513076c0934abd1738139e5f441f48df481f98fd5f4fb1dfa4557f6a0851e6c52b6e57d70248650593d78460202f5bbbcbf767274a

        Download Submit

      • C:\Users\Admin\CNHRO\settings.ini
        Filesize

        103B

        MD5

        ee3d0f1203aad6c23f80ec36ea3696d3

        SHA1

        43bac47bd25876670f66f7f52ff1540165bef95a

        SHA256

        44a4dbdce6ba9d5caa4794ce67e7a9f6813c9d8486fe9b06495b33459b7cd17b

        SHA512

        82b08bfccb0a16c00f5071a77a0a930fcab35c98cb661762d851c8825ca96fbb7f1904a74f878d1720787754b20b4d04c02597a9b8f70790e39dcb8843f3c25f

        Download Submit

      • memory/444-146-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/444-145-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3424-152-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3424-154-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3424-155-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3424-156-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download