Overview

overview

10

Static

static

67a5726287...19.exe

windows7-x64

10

67a5726287...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2022 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe

  • Size

    899KB

  • MD5

    21754d03fc630d0941e6274fdb3bab17

  • SHA1

    5c8f1db48fcd279769971517061386fb6bdefe78

  • SHA256

    67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619

  • SHA512

    c92c470054fb5967cde5fc1fa1926f057738bc5508f7271af31ac828191213fab12616a136cf5a8ffa272102d17db34b98c51f7cc743fddf33c2da4c5283c412

  • SSDEEP

    12288:kRWNcr8oxnOS90QbJa6QE/rI+D00FsG0B3mgDnDK23nwAklwGgG0rWl6VIE2bSqV:/NBIO0/LIV0KG0BWOnDdn/kl4BrrF2fV

Score
10/10
isrstealerstealertrojan

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe
    "C:\Users\Admin\AppData\Local\Temp\67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Users\Admin\1h847n55gdu161\wfEfCsjRy.exe
      "C:\Users\Admin\1h847n55gdu161\wfEfCsjRy.exe" WKzDXmGySiNt.CCM
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\90HL6uTKsr.ini"
          4⤵
            PID:1864
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 80
              5⤵
              • Program crash
              PID:4180
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\a7HVs2Pgz4.ini"
            4⤵
              PID:4988
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 80
                5⤵
                • Program crash
                PID:720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1864 -ip 1864
        1⤵
          PID:432
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4988 -ip 4988
          1⤵
            PID:2704

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\1H847N~1\OBQDDO~1.LQQ
            Filesize

            260KB

            MD5

            44035b71f93b971dded0dd0a1b57c0b0

            SHA1

            0f96f513799cfda1e5d0b6be8c6c904bd2741c61

            SHA256

            51e9fd794fbe0e8a7e73ec720c64424d7234b614ab18e061e480a6db66c97395

            SHA512

            fdb2b154befb4a792c0f5753f0d008af06955bb95090660928f9e3be2b176b75333311a3b5a858412c1c6cc941dd58e737d756a0417821a0df5ba2d950b8be4e

            Download Submit

          • C:\Users\Admin\1H847N~1\uHgkAD.FRM
            Filesize

            35B

            MD5

            0d6a4699347514e83df3c756286d027b

            SHA1

            43f5c5ea798282b0681656314340918db4089640

            SHA256

            7d6376d1aed12fb95212a8a99ac33a3627cebbdb2556a30bcc1af487382c8713

            SHA512

            d74e02d8fc7b1b881e5566c23083de29cd7609e45f233734f90213120729917f6d9d19120365520e42ee32923f5afffe75c8713f1814f7d7e3c5458f28539c9c

            Download Submit

          • C:\Users\Admin\1h847n55gdu161\WKzDXmGySiNt.CCM
            Filesize

            33.9MB

            MD5

            a7f9a232d82cc9a03f3070e2c7d6ff10

            SHA1

            7681f36df0d99103a69b5e55704c8f023e32bd77

            SHA256

            35737c7d963385ccc15f9f18d7472640886b3e80155f8da8f309298885c82a42

            SHA512

            27bc27bf7d90872852d0b3d6b029487bb668a01a5e17c2494c300ff8075b15c56f224f4d384b38ea0ef3e2a163f6d2ad004514215d240c18f098503c41f8f600

            Download Submit

          • C:\Users\Admin\1h847n55gdu161\wfEfCsjRy.exe
            Filesize

            795KB

            MD5

            e1cd87c1a44c4b6584dd2df7d5bd2e9c

            SHA1

            7a271f98b88e9974618fda5f9a5f874434b44bc8

            SHA256

            da10f63ba3641ce01af17072e1bc67b28e4c2e990436b76714bd02e019b0b388

            SHA512

            276afc51891f7dc50b249faf65e9c7aa3c93997ee48cee829e3535287ef7d571ed29c5895822d78293f54c57deb4d6a2cf2c908b7d4f7869fc67cbaf64bd3f4a

            Download Submit

          • C:\Users\Admin\1h847n55gdu161\wfEfCsjRy.exe
            Filesize

            795KB

            MD5

            e1cd87c1a44c4b6584dd2df7d5bd2e9c

            SHA1

            7a271f98b88e9974618fda5f9a5f874434b44bc8

            SHA256

            da10f63ba3641ce01af17072e1bc67b28e4c2e990436b76714bd02e019b0b388

            SHA512

            276afc51891f7dc50b249faf65e9c7aa3c93997ee48cee829e3535287ef7d571ed29c5895822d78293f54c57deb4d6a2cf2c908b7d4f7869fc67cbaf64bd3f4a

            Download Submit

          • memory/4812-139-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/4812-141-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/4812-146-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/4812-149-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download