Overview

overview

10

Static

static

92aab46d0e...a0.exe

windows7-x64

10

92aab46d0e...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2022 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92aab46d0e0b52f33f241a548d95758ecd23a78024626a6b5c190000d172dda0.exe

  • Size

    673KB

  • MD5

    20ef16a722778d92f6bf93d3310eb9ea

  • SHA1

    3b6c0364751e892749c77e40b2ec75c8a71e3f48

  • SHA256

    92aab46d0e0b52f33f241a548d95758ecd23a78024626a6b5c190000d172dda0

  • SHA512

    9d596b365c4fbfbbeb75fb643322ef392bab666a106aa349692a15c5d85a94e67a0d6ed09035ac2b3cf779aa82e653efbebc8311f766816297e349d58e059a7e

  • SSDEEP

    6144:8dhylx6z9cdIKCC0ef//uXltKc+LVsz9b86dhyeK62/rZAlPbLxYMbUyPnQ/txC+:s62cdFeCXuLKcCVsz6OtU/WPpYDxAO

Score
10/10
isrstealerpersistencespywarestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92aab46d0e0b52f33f241a548d95758ecd23a78024626a6b5c190000d172dda0.exe
    "C:\Users\Admin\AppData\Local\Temp\92aab46d0e0b52f33f241a548d95758ecd23a78024626a6b5c190000d172dda0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Local\Temp\winini.exe
      "C:\Users\Admin\AppData\Local\Temp\winini.exe" cvtres.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3284
        • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\DENkyEoTx0.ini"
          4⤵
          • Executes dropped EXE
          PID:4188
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\winini.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4232
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\winini.exe"
          4⤵
          • Modifies WinLogon for persistence
          PID:1740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DENkyEoTx0.ini
    Filesize

    5B

    MD5

    d1ea279fb5559c020a1b4137dc4de237

    SHA1

    db6f8988af46b56216a6f0daf95ab8c9bdb57400

    SHA256

    fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

    SHA512

    720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    Filesize

    1024B

    MD5

    54b1c45da8980b32759042e2c3c78dfb

    SHA1

    11e8bc2db98786c69e5dadf53d00ff3ee03d64f8

    SHA256

    9d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773

    SHA512

    73169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    Filesize

    1024B

    MD5

    54b1c45da8980b32759042e2c3c78dfb

    SHA1

    11e8bc2db98786c69e5dadf53d00ff3ee03d64f8

    SHA256

    9d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773

    SHA512

    73169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    Filesize

    1024B

    MD5

    54b1c45da8980b32759042e2c3c78dfb

    SHA1

    11e8bc2db98786c69e5dadf53d00ff3ee03d64f8

    SHA256

    9d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773

    SHA512

    73169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\winini.exe
    Filesize

    573KB

    MD5

    4e6acfd4ceb58565dd19c83c959c5e6b

    SHA1

    e9d448c22bf2ef2d71b7a3550dd77bd42ce24f9c

    SHA256

    438e2c3bd77ca8fd5207b7ad59442518a4d45eced33e604277f43fecd3af8c79

    SHA512

    eda6bd8e10bd005ab4c7a2bfc01b7875e633b424c212bf171d54dda5f4f45cbbee15cb42ab6591ddc10f241f36af1570ad48fba4aa361bfe6f398ea760d8f71c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\winini.exe
    Filesize

    573KB

    MD5

    4e6acfd4ceb58565dd19c83c959c5e6b

    SHA1

    e9d448c22bf2ef2d71b7a3550dd77bd42ce24f9c

    SHA256

    438e2c3bd77ca8fd5207b7ad59442518a4d45eced33e604277f43fecd3af8c79

    SHA512

    eda6bd8e10bd005ab4c7a2bfc01b7875e633b424c212bf171d54dda5f4f45cbbee15cb42ab6591ddc10f241f36af1570ad48fba4aa361bfe6f398ea760d8f71c

    Download Submit

  • memory/2820-137-0x00000000753F0000-0x00000000759A1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2820-132-0x00000000753F0000-0x00000000759A1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3284-156-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3284-138-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3284-148-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4188-151-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4188-147-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4188-153-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4188-154-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/5076-145-0x00000000753F0000-0x00000000759A1000-memory.dmp

    Filesize

    5.7MB

    Download