isrstealer | 5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129

Analysis

max time kernel
151s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
Size

374KB
MD5

667f558981c23c80e398f754b44a603f
SHA1

df5b15120dc36c4507742f6317d9eb1034e57a50
SHA256

5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129
SHA512

d0def62704fab1029410c10bafca743ff06f8e023a33dde64b6da934ee80ff84a2663a128bcf25f16ca3c47d9329c1a13fe38c45c4c92e5853c4d652dd7c35b9
SSDEEP

6144:xPnobS75poRPw/I+GtlKAyu/zpzIyEpR4d1v4CVCASiMu:hoS5poNwg+GtluYz1IyKK5RV

Score

10^/10

isrstealer collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 19 IoCs

resource	yara_rule
behavioral1/memory/1388-60-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1388-62-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1388-63-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1388-78-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1388-91-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1388-107-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1564-114-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1564-125-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1564-138-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/636-145-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/636-156-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/636-166-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/956-173-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/956-184-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/956-194-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1644-201-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1644-212-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1572-228-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1572-239-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 9 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1364-98-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1364-99-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1364-100-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/952-135-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/952-136-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1724-164-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1724-165-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/556-193-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/520-221-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/1364-98-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1364-99-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1364-100-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/952-135-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/952-136-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1724-164-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1724-165-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/556-193-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/520-221-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
740	ddpss.exe
1736	udpsv.exe
1268	ddpss.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1704-67-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1704-71-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1704-72-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1704-79-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1704-87-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1364-93-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1364-97-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1364-98-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1364-99-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1364-100-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/368-122-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/368-123-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/368-124-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/952-134-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/952-135-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/952-136-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1752-153-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1752-154-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1752-155-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1724-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1724-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1724-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1792-183-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/556-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1596-211-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/520-221-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1480-238-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
764	dw20.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 1416 set thread context of 1388	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	26
PID 1388 set thread context of 1704	1388	vbc.exe	27
PID 1388 set thread context of 1364	1388	vbc.exe	32
PID 1416 set thread context of 1564	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	35
PID 1564 set thread context of 368	1564	vbc.exe	36
PID 1564 set thread context of 952	1564	vbc.exe	37
PID 1416 set thread context of 636	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	39
PID 636 set thread context of 1752	636	vbc.exe	40
PID 636 set thread context of 1724	636	vbc.exe	41
PID 1416 set thread context of 956	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	43
PID 956 set thread context of 1792	956	vbc.exe	44
PID 956 set thread context of 556	956	vbc.exe	45
PID 1416 set thread context of 1644	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	47
PID 1644 set thread context of 1596	1644	vbc.exe	48
PID 1644 set thread context of 520	1644	vbc.exe	49
PID 1416 set thread context of 1572	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	51
PID 1572 set thread context of 1480	1572	vbc.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
740	ddpss.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
Token: SeDebugPrivilege	740	ddpss.exe
Token: SeDebugPrivilege	1736	udpsv.exe
Token: SeDebugPrivilege	1268	ddpss.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1388	vbc.exe
1564	vbc.exe
636	vbc.exe
956	vbc.exe
1644	vbc.exe
1572	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1388	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	26
PID 1416 wrote to memory of 1388	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	26
PID 1416 wrote to memory of 1388	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	26
PID 1416 wrote to memory of 1388	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	26
PID 1416 wrote to memory of 1388	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	26
PID 1416 wrote to memory of 1388	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	26
PID 1416 wrote to memory of 1388	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	26
PID 1416 wrote to memory of 1388	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	26
PID 1388 wrote to memory of 1704	1388	vbc.exe	27
PID 1388 wrote to memory of 1704	1388	vbc.exe	27
PID 1388 wrote to memory of 1704	1388	vbc.exe	27
PID 1388 wrote to memory of 1704	1388	vbc.exe	27
PID 1388 wrote to memory of 1704	1388	vbc.exe	27
PID 1388 wrote to memory of 1704	1388	vbc.exe	27
PID 1388 wrote to memory of 1704	1388	vbc.exe	27
PID 1388 wrote to memory of 1704	1388	vbc.exe	27
PID 1388 wrote to memory of 1704	1388	vbc.exe	27
PID 1416 wrote to memory of 740	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	28
PID 1416 wrote to memory of 740	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	28
PID 1416 wrote to memory of 740	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	28
PID 1416 wrote to memory of 740	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	28
PID 740 wrote to memory of 1736	740	ddpss.exe	29
PID 740 wrote to memory of 1736	740	ddpss.exe	29
PID 740 wrote to memory of 1736	740	ddpss.exe	29
PID 740 wrote to memory of 1736	740	ddpss.exe	29
PID 1388 wrote to memory of 1364	1388	vbc.exe	32
PID 1388 wrote to memory of 1364	1388	vbc.exe	32
PID 1388 wrote to memory of 1364	1388	vbc.exe	32
PID 1388 wrote to memory of 1364	1388	vbc.exe	32
PID 1388 wrote to memory of 1364	1388	vbc.exe	32
PID 1388 wrote to memory of 1364	1388	vbc.exe	32
PID 1388 wrote to memory of 1364	1388	vbc.exe	32
PID 1388 wrote to memory of 1364	1388	vbc.exe	32
PID 1388 wrote to memory of 1364	1388	vbc.exe	32
PID 1416 wrote to memory of 1268	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	33
PID 1416 wrote to memory of 1268	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	33
PID 1416 wrote to memory of 1268	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	33
PID 1416 wrote to memory of 1268	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	33
PID 1736 wrote to memory of 764	1736	udpsv.exe	34
PID 1736 wrote to memory of 764	1736	udpsv.exe	34
PID 1736 wrote to memory of 764	1736	udpsv.exe	34
PID 1736 wrote to memory of 764	1736	udpsv.exe	34
PID 1416 wrote to memory of 1564	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	35
PID 1416 wrote to memory of 1564	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	35
PID 1416 wrote to memory of 1564	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	35
PID 1416 wrote to memory of 1564	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	35
PID 1416 wrote to memory of 1564	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	35
PID 1416 wrote to memory of 1564	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	35
PID 1416 wrote to memory of 1564	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	35
PID 1416 wrote to memory of 1564	1416	5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe	35
PID 1564 wrote to memory of 368	1564	vbc.exe	36
PID 1564 wrote to memory of 368	1564	vbc.exe	36
PID 1564 wrote to memory of 368	1564	vbc.exe	36
PID 1564 wrote to memory of 368	1564	vbc.exe	36
PID 1564 wrote to memory of 368	1564	vbc.exe	36
PID 1564 wrote to memory of 368	1564	vbc.exe	36
PID 1564 wrote to memory of 368	1564	vbc.exe	36
PID 1564 wrote to memory of 368	1564	vbc.exe	36
PID 1564 wrote to memory of 368	1564	vbc.exe	36
PID 1564 wrote to memory of 952	1564	vbc.exe	37
PID 1564 wrote to memory of 952	1564	vbc.exe	37
PID 1564 wrote to memory of 952	1564	vbc.exe	37
PID 1564 wrote to memory of 952	1564	vbc.exe	37
PID 1564 wrote to memory of 952	1564	vbc.exe	37

C:\Users\Admin\AppData\Local\Temp\5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe
"C:\Users\Admin\AppData\Local\Temp\5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\u0TCPW57ZW.ini"
    3⤵
    PID:1704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\3zyVX1UGeq.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1364
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddpss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddpss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 652
      4⤵
      Loads dropped DLL
      PID:764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddpss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddpss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\zpjEl3kUO7.ini"
    3⤵
    PID:368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\uq3DcEZzgB.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:952
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:636
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\8XIZok3HrK.ini"
    3⤵
    PID:1752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\uJE246HxQw.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1724
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\iW4yLwFT0e.ini"
    3⤵
    PID:1792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\epTvZ7ktYl.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:556
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:1644
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\KEJBwRqMJl.ini"
    3⤵
    PID:1596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\cYOn67t55n.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:520
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:1572
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\uJgDJrv2XP.ini"
    3⤵
    PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8XIZok3HrK.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEJBwRqMJl.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iW4yLwFT0e.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0TCPW57ZW.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpjEl3kUO7.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddpss.exe

Filesize
11KB

MD5
354c75cc8a921b6ba9749e64de08f261

SHA1
67390585b73570f9fa3ca861b37d852e64911437

SHA256
09baae74521dddfa4a50886ad79cb76b98d67386b38810fd0e95bbbb2eea26fc

SHA512
7b27b54528290d3bbb214a8627f7ce077fc520c28a158e2739b1aef276b2a978382161b6acc23cfb5147d437fa401a31c9dc2ba2c75e89123a5ed06cf158579b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddpss.exe

Filesize
11KB

MD5
354c75cc8a921b6ba9749e64de08f261

SHA1
67390585b73570f9fa3ca861b37d852e64911437

SHA256
09baae74521dddfa4a50886ad79cb76b98d67386b38810fd0e95bbbb2eea26fc

SHA512
7b27b54528290d3bbb214a8627f7ce077fc520c28a158e2739b1aef276b2a978382161b6acc23cfb5147d437fa401a31c9dc2ba2c75e89123a5ed06cf158579b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ddpss.exe

Filesize
11KB

MD5
354c75cc8a921b6ba9749e64de08f261

SHA1
67390585b73570f9fa3ca861b37d852e64911437

SHA256
09baae74521dddfa4a50886ad79cb76b98d67386b38810fd0e95bbbb2eea26fc

SHA512
7b27b54528290d3bbb214a8627f7ce077fc520c28a158e2739b1aef276b2a978382161b6acc23cfb5147d437fa401a31c9dc2ba2c75e89123a5ed06cf158579b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe

Filesize
374KB

MD5
667f558981c23c80e398f754b44a603f

SHA1
df5b15120dc36c4507742f6317d9eb1034e57a50

SHA256
5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129

SHA512
d0def62704fab1029410c10bafca743ff06f8e023a33dde64b6da934ee80ff84a2663a128bcf25f16ca3c47d9329c1a13fe38c45c4c92e5853c4d652dd7c35b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe

Filesize
374KB

MD5
667f558981c23c80e398f754b44a603f

SHA1
df5b15120dc36c4507742f6317d9eb1034e57a50

SHA256
5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129

SHA512
d0def62704fab1029410c10bafca743ff06f8e023a33dde64b6da934ee80ff84a2663a128bcf25f16ca3c47d9329c1a13fe38c45c4c92e5853c4d652dd7c35b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\ddpss.exe

Filesize
11KB

MD5
354c75cc8a921b6ba9749e64de08f261

SHA1
67390585b73570f9fa3ca861b37d852e64911437

SHA256
09baae74521dddfa4a50886ad79cb76b98d67386b38810fd0e95bbbb2eea26fc

SHA512
7b27b54528290d3bbb214a8627f7ce077fc520c28a158e2739b1aef276b2a978382161b6acc23cfb5147d437fa401a31c9dc2ba2c75e89123a5ed06cf158579b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe

Filesize
374KB

MD5
667f558981c23c80e398f754b44a603f

SHA1
df5b15120dc36c4507742f6317d9eb1034e57a50

SHA256
5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129

SHA512
d0def62704fab1029410c10bafca743ff06f8e023a33dde64b6da934ee80ff84a2663a128bcf25f16ca3c47d9329c1a13fe38c45c4c92e5853c4d652dd7c35b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe

Filesize
374KB

MD5
667f558981c23c80e398f754b44a603f

SHA1
df5b15120dc36c4507742f6317d9eb1034e57a50

SHA256
5bbab8bdd280283872da971fb455b44f410dfc0ff0a5a2fbe0aa091462071129

SHA512
d0def62704fab1029410c10bafca743ff06f8e023a33dde64b6da934ee80ff84a2663a128bcf25f16ca3c47d9329c1a13fe38c45c4c92e5853c4d652dd7c35b9

Download Submit
memory/368-123-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/368-122-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/368-124-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/520-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/556-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/636-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/636-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/740-84-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/740-90-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/740-101-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/952-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/952-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/952-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/956-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/956-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1268-137-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1268-105-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1364-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1364-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1364-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1364-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1388-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-78-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-91-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1416-55-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1416-56-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-238-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1564-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1564-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1572-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1596-211-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1644-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1704-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1704-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1704-67-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1704-87-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1704-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1724-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-92-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1736-86-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-154-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1752-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1752-155-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1792-183-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download