isrstealer | 0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e

Analysis

max time kernel
150s
max time network
96s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22/11/2022, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
Size

356KB
MD5

cb1b586370cd85e144819be57fc8fd71
SHA1

1c8c6c9d7747e96f7c10c9d45591c2b729355a4c
SHA256

0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e
SHA512

480ab881610e73c8935b8468220299067d8ed026de674f9a549a2836cd6ca00ebc633acba1ea079801028f5f600857abb0c23b32523cca0e74c012a4010468a0
SSDEEP

6144:QN++UlpnzyVKCNSm9OUyJLSWEy24rqTH5F2Agl7NyOIwfyJv:v+UrmVZALJEy2uiZoAIpfy5

Score

10^/10

isrstealer collection persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 9 IoCs

resource	yara_rule
behavioral1/memory/980-60-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/980-62-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/980-63-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/980-75-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/980-84-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/888-102-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/888-121-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/888-133-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/888-135-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1112-82-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1112-83-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1112-85-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2044-131-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2044-132-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 5 IoCs

resource	yara_rule
behavioral1/memory/1112-82-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1112-83-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1112-85-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2044-131-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2044-132-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 6 IoCs

pid	Process
1980	WUDHost.exe
1200	Acctres.exe
888	Acctres.exe
1736	WUDHost.exe
1396	Acctres.exe
2044	Acctres.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1112-77-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1112-81-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1112-82-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1112-83-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1112-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1396-113-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1396-118-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1396-119-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1396-120-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2044-130-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2044-131-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2044-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1980	WUDHost.exe
1200	Acctres.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Acctres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	28
PID 980 set thread context of 2032	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	29
PID 980 set thread context of 1112	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	31
PID 1200 set thread context of 888	1200	Acctres.exe	33
PID 888 set thread context of 1396	888	Acctres.exe	35
PID 888 set thread context of 2044	888	Acctres.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Acctres.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Acctres.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Acctres.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1980	WUDHost.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1980	WUDHost.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1980	WUDHost.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1980	WUDHost.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1980	WUDHost.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
1980	WUDHost.exe
1200	Acctres.exe
1200	Acctres.exe
1200	Acctres.exe
1200	Acctres.exe
1200	Acctres.exe
1200	Acctres.exe
1200	Acctres.exe
1200	Acctres.exe
1200	Acctres.exe
1200	Acctres.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
Token: SeDebugPrivilege	1980	WUDHost.exe
Token: SeDebugPrivilege	1200	Acctres.exe
Token: SeDebugPrivilege	1736	WUDHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
888	Acctres.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	28
PID 1660 wrote to memory of 980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	28
PID 1660 wrote to memory of 980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	28
PID 1660 wrote to memory of 980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	28
PID 1660 wrote to memory of 980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	28
PID 1660 wrote to memory of 980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	28
PID 1660 wrote to memory of 980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	28
PID 1660 wrote to memory of 980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	28
PID 980 wrote to memory of 2032	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	29
PID 980 wrote to memory of 2032	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	29
PID 980 wrote to memory of 2032	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	29
PID 980 wrote to memory of 2032	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	29
PID 980 wrote to memory of 2032	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	29
PID 980 wrote to memory of 2032	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	29
PID 980 wrote to memory of 2032	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	29
PID 980 wrote to memory of 2032	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	29
PID 980 wrote to memory of 2032	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	29
PID 1660 wrote to memory of 1980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	30
PID 1660 wrote to memory of 1980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	30
PID 1660 wrote to memory of 1980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	30
PID 1660 wrote to memory of 1980	1660	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	30
PID 980 wrote to memory of 1112	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	31
PID 980 wrote to memory of 1112	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	31
PID 980 wrote to memory of 1112	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	31
PID 980 wrote to memory of 1112	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	31
PID 980 wrote to memory of 1112	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	31
PID 980 wrote to memory of 1112	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	31
PID 980 wrote to memory of 1112	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	31
PID 980 wrote to memory of 1112	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	31
PID 980 wrote to memory of 1112	980	0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe	31
PID 1980 wrote to memory of 1200	1980	WUDHost.exe	32
PID 1980 wrote to memory of 1200	1980	WUDHost.exe	32
PID 1980 wrote to memory of 1200	1980	WUDHost.exe	32
PID 1980 wrote to memory of 1200	1980	WUDHost.exe	32
PID 1200 wrote to memory of 888	1200	Acctres.exe	33
PID 1200 wrote to memory of 888	1200	Acctres.exe	33
PID 1200 wrote to memory of 888	1200	Acctres.exe	33
PID 1200 wrote to memory of 888	1200	Acctres.exe	33
PID 1200 wrote to memory of 888	1200	Acctres.exe	33
PID 1200 wrote to memory of 888	1200	Acctres.exe	33
PID 1200 wrote to memory of 888	1200	Acctres.exe	33
PID 1200 wrote to memory of 888	1200	Acctres.exe	33
PID 1200 wrote to memory of 1736	1200	Acctres.exe	34
PID 1200 wrote to memory of 1736	1200	Acctres.exe	34
PID 1200 wrote to memory of 1736	1200	Acctres.exe	34
PID 1200 wrote to memory of 1736	1200	Acctres.exe	34
PID 888 wrote to memory of 1396	888	Acctres.exe	35
PID 888 wrote to memory of 1396	888	Acctres.exe	35
PID 888 wrote to memory of 1396	888	Acctres.exe	35
PID 888 wrote to memory of 1396	888	Acctres.exe	35
PID 888 wrote to memory of 1396	888	Acctres.exe	35
PID 888 wrote to memory of 1396	888	Acctres.exe	35
PID 888 wrote to memory of 1396	888	Acctres.exe	35
PID 888 wrote to memory of 1396	888	Acctres.exe	35
PID 888 wrote to memory of 1396	888	Acctres.exe	35
PID 888 wrote to memory of 2044	888	Acctres.exe	38
PID 888 wrote to memory of 2044	888	Acctres.exe	38
PID 888 wrote to memory of 2044	888	Acctres.exe	38
PID 888 wrote to memory of 2044	888	Acctres.exe	38
PID 888 wrote to memory of 2044	888	Acctres.exe	38
PID 888 wrote to memory of 2044	888	Acctres.exe	38
PID 888 wrote to memory of 2044	888	Acctres.exe	38
PID 888 wrote to memory of 2044	888	Acctres.exe	38
PID 888 wrote to memory of 2044	888	Acctres.exe	38

C:\Users\Admin\AppData\Local\Temp\0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
"C:\Users\Admin\AppData\Local\Temp\0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
  "C:\Users\Admin\AppData\Local\Temp\0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\w2xzDU1nxy.ini"
    3⤵
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\Gpx5IFJI45.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\2dX7ELpIqB.ini"
        5⤵
        Executes dropped EXE
        
        PID:1396
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\mzNA5rfphN.ini"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:2044
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2dX7ELpIqB.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
356KB

MD5
cb1b586370cd85e144819be57fc8fd71

SHA1
1c8c6c9d7747e96f7c10c9d45591c2b729355a4c

SHA256
0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e

SHA512
480ab881610e73c8935b8468220299067d8ed026de674f9a549a2836cd6ca00ebc633acba1ea079801028f5f600857abb0c23b32523cca0e74c012a4010468a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
356KB

MD5
cb1b586370cd85e144819be57fc8fd71

SHA1
1c8c6c9d7747e96f7c10c9d45591c2b729355a4c

SHA256
0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e

SHA512
480ab881610e73c8935b8468220299067d8ed026de674f9a549a2836cd6ca00ebc633acba1ea079801028f5f600857abb0c23b32523cca0e74c012a4010468a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
356KB

MD5
cb1b586370cd85e144819be57fc8fd71

SHA1
1c8c6c9d7747e96f7c10c9d45591c2b729355a4c

SHA256
0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e

SHA512
480ab881610e73c8935b8468220299067d8ed026de674f9a549a2836cd6ca00ebc633acba1ea079801028f5f600857abb0c23b32523cca0e74c012a4010468a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
356KB

MD5
cb1b586370cd85e144819be57fc8fd71

SHA1
1c8c6c9d7747e96f7c10c9d45591c2b729355a4c

SHA256
0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e

SHA512
480ab881610e73c8935b8468220299067d8ed026de674f9a549a2836cd6ca00ebc633acba1ea079801028f5f600857abb0c23b32523cca0e74c012a4010468a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
356KB

MD5
cb1b586370cd85e144819be57fc8fd71

SHA1
1c8c6c9d7747e96f7c10c9d45591c2b729355a4c

SHA256
0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e

SHA512
480ab881610e73c8935b8468220299067d8ed026de674f9a549a2836cd6ca00ebc633acba1ea079801028f5f600857abb0c23b32523cca0e74c012a4010468a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
11KB

MD5
6250064b24fd9175bdad1c147fe6f209

SHA1
9c777e8318c8967625a829551ce561453d88e964

SHA256
933fa76fbbaff480ee54c270901ded9da46b417502bd3e4062580a54f0a68084

SHA512
3db783ef0fb348cf9a354052f8f0e907bc91b6b5bf807aea22731f5710e81f0af1a44c29434fa9169187077e941a1990f57ba0ab10c51a5243bb67fcb57d0f48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
11KB

MD5
6250064b24fd9175bdad1c147fe6f209

SHA1
9c777e8318c8967625a829551ce561453d88e964

SHA256
933fa76fbbaff480ee54c270901ded9da46b417502bd3e4062580a54f0a68084

SHA512
3db783ef0fb348cf9a354052f8f0e907bc91b6b5bf807aea22731f5710e81f0af1a44c29434fa9169187077e941a1990f57ba0ab10c51a5243bb67fcb57d0f48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
11KB

MD5
6250064b24fd9175bdad1c147fe6f209

SHA1
9c777e8318c8967625a829551ce561453d88e964

SHA256
933fa76fbbaff480ee54c270901ded9da46b417502bd3e4062580a54f0a68084

SHA512
3db783ef0fb348cf9a354052f8f0e907bc91b6b5bf807aea22731f5710e81f0af1a44c29434fa9169187077e941a1990f57ba0ab10c51a5243bb67fcb57d0f48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
11KB

MD5
6250064b24fd9175bdad1c147fe6f209

SHA1
9c777e8318c8967625a829551ce561453d88e964

SHA256
933fa76fbbaff480ee54c270901ded9da46b417502bd3e4062580a54f0a68084

SHA512
3db783ef0fb348cf9a354052f8f0e907bc91b6b5bf807aea22731f5710e81f0af1a44c29434fa9169187077e941a1990f57ba0ab10c51a5243bb67fcb57d0f48

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
356KB

MD5
cb1b586370cd85e144819be57fc8fd71

SHA1
1c8c6c9d7747e96f7c10c9d45591c2b729355a4c

SHA256
0e7ea519b46a0775c47e63525f37f81f14ab60dc4f81d00ccb26c10ad5f7668e

SHA512
480ab881610e73c8935b8468220299067d8ed026de674f9a549a2836cd6ca00ebc633acba1ea079801028f5f600857abb0c23b32523cca0e74c012a4010468a0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
11KB

MD5
6250064b24fd9175bdad1c147fe6f209

SHA1
9c777e8318c8967625a829551ce561453d88e964

SHA256
933fa76fbbaff480ee54c270901ded9da46b417502bd3e4062580a54f0a68084

SHA512
3db783ef0fb348cf9a354052f8f0e907bc91b6b5bf807aea22731f5710e81f0af1a44c29434fa9169187077e941a1990f57ba0ab10c51a5243bb67fcb57d0f48

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
11KB

MD5
6250064b24fd9175bdad1c147fe6f209

SHA1
9c777e8318c8967625a829551ce561453d88e964

SHA256
933fa76fbbaff480ee54c270901ded9da46b417502bd3e4062580a54f0a68084

SHA512
3db783ef0fb348cf9a354052f8f0e907bc91b6b5bf807aea22731f5710e81f0af1a44c29434fa9169187077e941a1990f57ba0ab10c51a5243bb67fcb57d0f48

Download Submit
memory/888-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/888-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/888-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-75-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1112-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1112-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1112-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1112-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1112-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1200-92-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1200-93-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1396-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1396-118-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1396-119-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1396-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1660-94-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-55-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1660-56-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1736-134-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1736-122-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-86-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-95-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-76-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download