isrstealer | 4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
Size

358KB
MD5

5709c6a4da3cea082e45480ce2f97a60
SHA1

6d8eed5918879e75ff3e3e80dd4f5dc87ac14355
SHA256

4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07
SHA512

5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5
SSDEEP

6144:XABPDbnTXGxIBtPr+wKVa10gJDfIiFIULcnw5KrTsioFaj0uCDHphVmMjX58:XABPDbTXGxIBZSwb1ZfZsrToF00uCDN5

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 9 IoCs

resource	yara_rule
behavioral1/memory/1176-60-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1176-62-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1176-63-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1176-79-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1176-98-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1176-100-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1744-109-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1744-118-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1744-127-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2000-96-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2000-97-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1648-125-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1648-126-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral1/memory/2000-96-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2000-97-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1648-125-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1648-126-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

pid	Process
1204	CryptSvc.exe
300	EFS.exe
1744	EFS.exe
1960	EFS.exe
1648	EFS.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/628-68-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/628-75-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/628-78-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/628-81-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/628-88-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2000-91-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-95-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-96-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-97-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1648-124-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1648-125-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1648-126-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1204	CryptSvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	EFS.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 1176	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	27
PID 1176 set thread context of 628	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	28
PID 1176 set thread context of 2000	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	33
PID 300 set thread context of 1744	300	EFS.exe	34
PID 1744 set thread context of 1960	1744	EFS.exe	35
PID 1744 set thread context of 1648	1744	EFS.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1204	CryptSvc.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1204	CryptSvc.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1204	CryptSvc.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1204	CryptSvc.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1204	CryptSvc.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1204	CryptSvc.exe
1204	CryptSvc.exe
300	EFS.exe
300	EFS.exe
300	EFS.exe
1204	CryptSvc.exe
300	EFS.exe
300	EFS.exe
300	EFS.exe
1204	CryptSvc.exe
300	EFS.exe
300	EFS.exe
300	EFS.exe
1204	CryptSvc.exe
300	EFS.exe
300	EFS.exe
300	EFS.exe
1204	CryptSvc.exe
300	EFS.exe
300	EFS.exe
300	EFS.exe
300	EFS.exe
1204	CryptSvc.exe
300	EFS.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
Token: SeDebugPrivilege	1204	CryptSvc.exe
Token: SeDebugPrivilege	300	EFS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
1744	EFS.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1176	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	27
PID 1064 wrote to memory of 1176	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	27
PID 1064 wrote to memory of 1176	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	27
PID 1064 wrote to memory of 1176	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	27
PID 1064 wrote to memory of 1176	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	27
PID 1064 wrote to memory of 1176	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	27
PID 1064 wrote to memory of 1176	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	27
PID 1064 wrote to memory of 1176	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	27
PID 1176 wrote to memory of 628	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	28
PID 1176 wrote to memory of 628	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	28
PID 1176 wrote to memory of 628	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	28
PID 1176 wrote to memory of 628	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	28
PID 1176 wrote to memory of 628	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	28
PID 1176 wrote to memory of 628	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	28
PID 1176 wrote to memory of 628	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	28
PID 1176 wrote to memory of 628	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	28
PID 1176 wrote to memory of 628	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	28
PID 1064 wrote to memory of 1204	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	29
PID 1064 wrote to memory of 1204	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	29
PID 1064 wrote to memory of 1204	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	29
PID 1064 wrote to memory of 1204	1064	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	29
PID 1204 wrote to memory of 300	1204	CryptSvc.exe	30
PID 1204 wrote to memory of 300	1204	CryptSvc.exe	30
PID 1204 wrote to memory of 300	1204	CryptSvc.exe	30
PID 1204 wrote to memory of 300	1204	CryptSvc.exe	30
PID 1176 wrote to memory of 2000	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	33
PID 1176 wrote to memory of 2000	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	33
PID 1176 wrote to memory of 2000	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	33
PID 1176 wrote to memory of 2000	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	33
PID 1176 wrote to memory of 2000	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	33
PID 1176 wrote to memory of 2000	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	33
PID 1176 wrote to memory of 2000	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	33
PID 1176 wrote to memory of 2000	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	33
PID 1176 wrote to memory of 2000	1176	4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe	33
PID 300 wrote to memory of 1744	300	EFS.exe	34
PID 300 wrote to memory of 1744	300	EFS.exe	34
PID 300 wrote to memory of 1744	300	EFS.exe	34
PID 300 wrote to memory of 1744	300	EFS.exe	34
PID 300 wrote to memory of 1744	300	EFS.exe	34
PID 300 wrote to memory of 1744	300	EFS.exe	34
PID 300 wrote to memory of 1744	300	EFS.exe	34
PID 300 wrote to memory of 1744	300	EFS.exe	34
PID 1744 wrote to memory of 1960	1744	EFS.exe	35
PID 1744 wrote to memory of 1960	1744	EFS.exe	35
PID 1744 wrote to memory of 1960	1744	EFS.exe	35
PID 1744 wrote to memory of 1960	1744	EFS.exe	35
PID 1744 wrote to memory of 1960	1744	EFS.exe	35
PID 1744 wrote to memory of 1960	1744	EFS.exe	35
PID 1744 wrote to memory of 1960	1744	EFS.exe	35
PID 1744 wrote to memory of 1960	1744	EFS.exe	35
PID 1744 wrote to memory of 1960	1744	EFS.exe	35
PID 1744 wrote to memory of 1648	1744	EFS.exe	36
PID 1744 wrote to memory of 1648	1744	EFS.exe	36
PID 1744 wrote to memory of 1648	1744	EFS.exe	36
PID 1744 wrote to memory of 1648	1744	EFS.exe	36
PID 1744 wrote to memory of 1648	1744	EFS.exe	36
PID 1744 wrote to memory of 1648	1744	EFS.exe	36
PID 1744 wrote to memory of 1648	1744	EFS.exe	36
PID 1744 wrote to memory of 1648	1744	EFS.exe	36
PID 1744 wrote to memory of 1648	1744	EFS.exe	36

C:\Users\Admin\AppData\Local\Temp\4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
"C:\Users\Admin\AppData\Local\Temp\4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
  "C:\Users\Admin\AppData\Local\Temp\4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\fxxhzVywhK.ini"
    3⤵
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\VUo2t6rPOy.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2000
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\y3a5y6bpfS.ini"
        5⤵
        Executes dropped EXE
        
        PID:1960
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\EOx1gX8lr9.ini"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fxxhzVywhK.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe

Filesize
9KB

MD5
cd53082af28f46603b899c69fb8e449f

SHA1
d0034c9b7427cc0e045a5a5696870d988f96fbd1

SHA256
30ef28dbc8c9e308ae559d1bce7c4338c1c4d94ee3700bfe09dfc5b816bb5704

SHA512
cf62c72a417d2fb473fdc721b0c88d9cad8527d18658021af2ad825c8de1c1cb1544593aa4b1519f9a1d1401959efa21954cdb9065753a91922b520f96f5478e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe

Filesize
9KB

MD5
cd53082af28f46603b899c69fb8e449f

SHA1
d0034c9b7427cc0e045a5a5696870d988f96fbd1

SHA256
30ef28dbc8c9e308ae559d1bce7c4338c1c4d94ee3700bfe09dfc5b816bb5704

SHA512
cf62c72a417d2fb473fdc721b0c88d9cad8527d18658021af2ad825c8de1c1cb1544593aa4b1519f9a1d1401959efa21954cdb9065753a91922b520f96f5478e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe

Filesize
358KB

MD5
5709c6a4da3cea082e45480ce2f97a60

SHA1
6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

SHA256
4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

SHA512
5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe

Filesize
358KB

MD5
5709c6a4da3cea082e45480ce2f97a60

SHA1
6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

SHA256
4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

SHA512
5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe

Filesize
358KB

MD5
5709c6a4da3cea082e45480ce2f97a60

SHA1
6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

SHA256
4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

SHA512
5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe

Filesize
358KB

MD5
5709c6a4da3cea082e45480ce2f97a60

SHA1
6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

SHA256
4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

SHA512
5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe

Filesize
358KB

MD5
5709c6a4da3cea082e45480ce2f97a60

SHA1
6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

SHA256
4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

SHA512
5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe

Filesize
9KB

MD5
cd53082af28f46603b899c69fb8e449f

SHA1
d0034c9b7427cc0e045a5a5696870d988f96fbd1

SHA256
30ef28dbc8c9e308ae559d1bce7c4338c1c4d94ee3700bfe09dfc5b816bb5704

SHA512
cf62c72a417d2fb473fdc721b0c88d9cad8527d18658021af2ad825c8de1c1cb1544593aa4b1519f9a1d1401959efa21954cdb9065753a91922b520f96f5478e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe

Filesize
358KB

MD5
5709c6a4da3cea082e45480ce2f97a60

SHA1
6d8eed5918879e75ff3e3e80dd4f5dc87ac14355

SHA256
4d9e8df04a11f124a839d4c3e59eeba7302e9c26e06b31dd561eb446ae267a07

SHA512
5ab1ae6b66ca7e5fb6cf11037e27d8b1b7f00bbd0f96ca6827116714429314c7435a64a65efb6f85cf6198198d52559c621485c284249fb8cf082639c5f252b5

Download Submit
memory/300-101-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/300-87-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/628-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/628-75-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/628-68-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/628-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/628-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1064-102-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-56-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1064-55-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1176-100-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1204-80-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1204-99-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1648-124-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-118-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1744-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download