isrstealer | b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7

Analysis

max time kernel
159s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2022 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
Size

355KB
MD5

93994ce2cdb48ea1970c2107c1e68af8
SHA1

ebf583e090f8eab34cfd7e56d2852e0083e59040
SHA256

b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7
SHA512

8e29a4ad24b9c999835dd8ba906ce6ffb60a4422a33d1ab2535ae4edc3eb1101ab8767e48ee728f68e63a2b34c82a1c455bf58cc247bcdf2e611939ecdc9411b
SSDEEP

6144:vYGsqnJ+2i9XvCMOd3HpEURdQqY+Bk+Ye+Y6HtQLmRA3o01phAGBtHO0vWhV:JFnJbihvCMOdJEUvQqpRGtGmRA3o01hi

Score

10^/10

isrstealer collection persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 8 IoCs

resource	yara_rule
behavioral2/memory/2600-135-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2600-137-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2600-143-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2600-152-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/456-175-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/456-185-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/456-187-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2600-190-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3584-182-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3584-183-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3584-184-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/3584-182-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3584-183-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3584-184-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 6 IoCs

pid	Process
1984	WUDHost.exe
4736	Acctres.exe
456	Acctres.exe
2452	Acctres.exe
2340	WUDHost.exe
3584	Acctres.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3980-141-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3980-144-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3980-145-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3980-146-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3584-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3584-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3584-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3584-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3584-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Acctres.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Acctres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4916 set thread context of 2600	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	87
PID 2600 set thread context of 3980	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	88
PID 4736 set thread context of 456	4736	Acctres.exe	103
PID 456 set thread context of 2452	456	Acctres.exe	104
PID 456 set thread context of 3584	456	Acctres.exe	108
PID 2600 set thread context of 3808	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4400	2452	WerFault.exe	104
3388	3808	WerFault.exe	110

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
Token: SeDebugPrivilege	1984	WUDHost.exe
Token: SeDebugPrivilege	4736	Acctres.exe
Token: SeDebugPrivilege	2340	WUDHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
456	Acctres.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2600	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	87
PID 4916 wrote to memory of 2600	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	87
PID 4916 wrote to memory of 2600	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	87
PID 4916 wrote to memory of 2600	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	87
PID 4916 wrote to memory of 2600	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	87
PID 4916 wrote to memory of 2600	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	87
PID 4916 wrote to memory of 2600	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	87
PID 2600 wrote to memory of 3980	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	88
PID 2600 wrote to memory of 3980	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	88
PID 2600 wrote to memory of 3980	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	88
PID 2600 wrote to memory of 3980	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	88
PID 2600 wrote to memory of 3980	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	88
PID 2600 wrote to memory of 3980	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	88
PID 2600 wrote to memory of 3980	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	88
PID 2600 wrote to memory of 3980	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	88
PID 4916 wrote to memory of 1984	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	89
PID 4916 wrote to memory of 1984	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	89
PID 4916 wrote to memory of 1984	4916	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	89
PID 1984 wrote to memory of 4736	1984	WUDHost.exe	98
PID 1984 wrote to memory of 4736	1984	WUDHost.exe	98
PID 1984 wrote to memory of 4736	1984	WUDHost.exe	98
PID 4736 wrote to memory of 456	4736	Acctres.exe	103
PID 4736 wrote to memory of 456	4736	Acctres.exe	103
PID 4736 wrote to memory of 456	4736	Acctres.exe	103
PID 4736 wrote to memory of 456	4736	Acctres.exe	103
PID 4736 wrote to memory of 456	4736	Acctres.exe	103
PID 4736 wrote to memory of 456	4736	Acctres.exe	103
PID 4736 wrote to memory of 456	4736	Acctres.exe	103
PID 456 wrote to memory of 2452	456	Acctres.exe	104
PID 456 wrote to memory of 2452	456	Acctres.exe	104
PID 456 wrote to memory of 2452	456	Acctres.exe	104
PID 456 wrote to memory of 2452	456	Acctres.exe	104
PID 456 wrote to memory of 2452	456	Acctres.exe	104
PID 456 wrote to memory of 2452	456	Acctres.exe	104
PID 456 wrote to memory of 2452	456	Acctres.exe	104
PID 456 wrote to memory of 2452	456	Acctres.exe	104
PID 4736 wrote to memory of 2340	4736	Acctres.exe	105
PID 4736 wrote to memory of 2340	4736	Acctres.exe	105
PID 4736 wrote to memory of 2340	4736	Acctres.exe	105
PID 456 wrote to memory of 3584	456	Acctres.exe	108
PID 456 wrote to memory of 3584	456	Acctres.exe	108
PID 456 wrote to memory of 3584	456	Acctres.exe	108
PID 456 wrote to memory of 3584	456	Acctres.exe	108
PID 456 wrote to memory of 3584	456	Acctres.exe	108
PID 456 wrote to memory of 3584	456	Acctres.exe	108
PID 456 wrote to memory of 3584	456	Acctres.exe	108
PID 456 wrote to memory of 3584	456	Acctres.exe	108
PID 2600 wrote to memory of 3808	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	110
PID 2600 wrote to memory of 3808	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	110
PID 2600 wrote to memory of 3808	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	110
PID 2600 wrote to memory of 3808	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	110
PID 2600 wrote to memory of 3808	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	110
PID 2600 wrote to memory of 3808	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	110
PID 2600 wrote to memory of 3808	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	110
PID 2600 wrote to memory of 3808	2600	b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe	110

C:\Users\Admin\AppData\Local\Temp\b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
"C:\Users\Admin\AppData\Local\Temp\b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
  "C:\Users\Admin\AppData\Local\Temp\b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\xue5U6ydWD.ini"
    3⤵
    PID:3980
- - C:\Users\Admin\AppData\Local\Temp\b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\pAuN0Q0bwz.ini"
    3⤵
    PID:3808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 80
      4⤵
      Program crash
      PID:3388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\or9UUNFVt8.ini"
        5⤵
        Executes dropped EXE
        
        PID:2452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 80
        6⤵
        Program crash
        
        PID:4400
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\2EWznGq3gT.ini"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:3584
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2452 -ip 2452
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3808 -ip 3808
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WUDHost.exe.log

Filesize
319B

MD5
824ba7b7eed8b900a98dd25129c4cd83

SHA1
54478770b2158000ef365591d42977cb854453a1

SHA256
d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03

SHA512
ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xue5U6ydWD.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
355KB

MD5
93994ce2cdb48ea1970c2107c1e68af8

SHA1
ebf583e090f8eab34cfd7e56d2852e0083e59040

SHA256
b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7

SHA512
8e29a4ad24b9c999835dd8ba906ce6ffb60a4422a33d1ab2535ae4edc3eb1101ab8767e48ee728f68e63a2b34c82a1c455bf58cc247bcdf2e611939ecdc9411b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
355KB

MD5
93994ce2cdb48ea1970c2107c1e68af8

SHA1
ebf583e090f8eab34cfd7e56d2852e0083e59040

SHA256
b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7

SHA512
8e29a4ad24b9c999835dd8ba906ce6ffb60a4422a33d1ab2535ae4edc3eb1101ab8767e48ee728f68e63a2b34c82a1c455bf58cc247bcdf2e611939ecdc9411b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
355KB

MD5
93994ce2cdb48ea1970c2107c1e68af8

SHA1
ebf583e090f8eab34cfd7e56d2852e0083e59040

SHA256
b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7

SHA512
8e29a4ad24b9c999835dd8ba906ce6ffb60a4422a33d1ab2535ae4edc3eb1101ab8767e48ee728f68e63a2b34c82a1c455bf58cc247bcdf2e611939ecdc9411b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
355KB

MD5
93994ce2cdb48ea1970c2107c1e68af8

SHA1
ebf583e090f8eab34cfd7e56d2852e0083e59040

SHA256
b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7

SHA512
8e29a4ad24b9c999835dd8ba906ce6ffb60a4422a33d1ab2535ae4edc3eb1101ab8767e48ee728f68e63a2b34c82a1c455bf58cc247bcdf2e611939ecdc9411b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
355KB

MD5
93994ce2cdb48ea1970c2107c1e68af8

SHA1
ebf583e090f8eab34cfd7e56d2852e0083e59040

SHA256
b52baa7b106317424db10866c73042bf47ddeb81cc389c3b8ea294d5175cd1c7

SHA512
8e29a4ad24b9c999835dd8ba906ce6ffb60a4422a33d1ab2535ae4edc3eb1101ab8767e48ee728f68e63a2b34c82a1c455bf58cc247bcdf2e611939ecdc9411b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
13KB

MD5
83fc91c3ad682312604cd0523b50b293

SHA1
3b17a838d2a7d75fbddbe0b82c6f319413fd2c90

SHA256
d664c40ee7910bb799c083fbd9c51cca102f13e8d7683feac9a362d2bbbfa294

SHA512
bd7dec870c1766830319f8dfd969cd2c008eb5e9de5ef266cb15cda8773018c165e3244bda791cd473b3cd0eeb732972ccd1b95c9a53a1d7ba17d9dd7c9d8627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
13KB

MD5
83fc91c3ad682312604cd0523b50b293

SHA1
3b17a838d2a7d75fbddbe0b82c6f319413fd2c90

SHA256
d664c40ee7910bb799c083fbd9c51cca102f13e8d7683feac9a362d2bbbfa294

SHA512
bd7dec870c1766830319f8dfd969cd2c008eb5e9de5ef266cb15cda8773018c165e3244bda791cd473b3cd0eeb732972ccd1b95c9a53a1d7ba17d9dd7c9d8627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
13KB

MD5
83fc91c3ad682312604cd0523b50b293

SHA1
3b17a838d2a7d75fbddbe0b82c6f319413fd2c90

SHA256
d664c40ee7910bb799c083fbd9c51cca102f13e8d7683feac9a362d2bbbfa294

SHA512
bd7dec870c1766830319f8dfd969cd2c008eb5e9de5ef266cb15cda8773018c165e3244bda791cd473b3cd0eeb732972ccd1b95c9a53a1d7ba17d9dd7c9d8627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
13KB

MD5
83fc91c3ad682312604cd0523b50b293

SHA1
3b17a838d2a7d75fbddbe0b82c6f319413fd2c90

SHA256
d664c40ee7910bb799c083fbd9c51cca102f13e8d7683feac9a362d2bbbfa294

SHA512
bd7dec870c1766830319f8dfd969cd2c008eb5e9de5ef266cb15cda8773018c165e3244bda791cd473b3cd0eeb732972ccd1b95c9a53a1d7ba17d9dd7c9d8627

Download Submit
memory/456-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/456-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/456-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-160-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1984-150-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1984-153-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2340-186-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2340-176-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2600-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3584-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3584-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3584-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3584-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3584-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3980-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3980-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3980-146-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3980-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4736-157-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/4736-158-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/4916-133-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/4916-132-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/4916-159-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download