Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 17:53
Static task
static1
Behavioral task
behavioral1
Sample
1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe
Resource
win7-20220812-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe
-
Size
653KB
-
MD5
88049ef487b421c89a7c57f7cd030747
-
SHA1
31e8a574df10db1650a47fb7f95f69dfa89ec72a
-
SHA256
1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173
-
SHA512
45938d26e9b5778aee4b2e53d44daed85137ebacd536d333bc4c01e7651497ece758b2123df6db9998073ce59c55955ffe72acfb0f75aedb2b0f4b72c5ef5f87
-
SSDEEP
12288:V9qry/CuKAUokVqrT+jjJK2B8qCYm4xrlVHs82:+rKeVUT+jjJb8qCGZVHo
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 7 IoCs
resource yara_rule behavioral1/memory/1136-62-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1136-64-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1136-65-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/1136-70-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1136-97-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1680-105-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/1680-111-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer -
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" AppLaunch.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" AppLaunch.exe -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/892-95-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/892-96-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral1/memory/892-95-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/892-96-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
resource yara_rule behavioral1/memory/1136-69-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1136-71-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1308-75-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1308-79-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1308-81-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1308-82-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1308-85-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1308-86-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/892-88-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/892-92-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/892-94-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/892-95-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/892-96-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1136-98-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1680-109-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1680-112-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/2012-120-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2012-122-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2012-123-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2012-124-0x0000000000400000-0x0000000000453000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts AppLaunch.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: AppLaunch.exe File opened (read-only) \??\G: AppLaunch.exe File opened (read-only) \??\E: AppLaunch.exe File opened (read-only) \??\G: AppLaunch.exe File opened (read-only) \??\H: AppLaunch.exe File opened (read-only) \??\F: AppLaunch.exe File opened (read-only) \??\H: AppLaunch.exe File opened (read-only) \??\F: AppLaunch.exe File opened (read-only) \??\I: AppLaunch.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1900 set thread context of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1136 set thread context of 1308 1136 AppLaunch.exe 32 PID 1136 set thread context of 892 1136 AppLaunch.exe 33 PID 1900 set thread context of 1680 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 34 PID 1680 set thread context of 2012 1680 AppLaunch.exe 35 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 1136 AppLaunch.exe 1136 AppLaunch.exe 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 1680 AppLaunch.exe 1680 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe Token: SeDebugPrivilege 1136 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1136 AppLaunch.exe 1680 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 1796 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 27 PID 1900 wrote to memory of 1796 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 27 PID 1900 wrote to memory of 1796 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 27 PID 1900 wrote to memory of 1796 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 27 PID 1900 wrote to memory of 976 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 29 PID 1900 wrote to memory of 976 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 29 PID 1900 wrote to memory of 976 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 29 PID 1900 wrote to memory of 976 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 29 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1900 wrote to memory of 1136 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 31 PID 1136 wrote to memory of 1240 1136 AppLaunch.exe 14 PID 1136 wrote to memory of 1336 1136 AppLaunch.exe 13 PID 1136 wrote to memory of 1392 1136 AppLaunch.exe 12 PID 1136 wrote to memory of 1900 1136 AppLaunch.exe 26 PID 1136 wrote to memory of 1900 1136 AppLaunch.exe 26 PID 1136 wrote to memory of 1796 1136 AppLaunch.exe 27 PID 1136 wrote to memory of 1796 1136 AppLaunch.exe 27 PID 1136 wrote to memory of 544 1136 AppLaunch.exe 28 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 1308 1136 AppLaunch.exe 32 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 892 1136 AppLaunch.exe 33 PID 1136 wrote to memory of 1240 1136 AppLaunch.exe 14 PID 1136 wrote to memory of 1336 1136 AppLaunch.exe 13 PID 1136 wrote to memory of 1392 1136 AppLaunch.exe 12 PID 1136 wrote to memory of 544 1136 AppLaunch.exe 28 PID 1900 wrote to memory of 1680 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 34 PID 1900 wrote to memory of 1680 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 34 PID 1900 wrote to memory of 1680 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 34 PID 1900 wrote to memory of 1680 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 34 PID 1900 wrote to memory of 1680 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 34 PID 1900 wrote to memory of 1680 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 34 PID 1900 wrote to memory of 1680 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 34 PID 1900 wrote to memory of 1680 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 34 PID 1900 wrote to memory of 1680 1900 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe"C:\Users\Admin\AppData\Local\Temp\1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\CMD.exe"CMD"3⤵PID:1796
-
-
C:\Windows\SysWOW64\CMD.exe"CMD"3⤵PID:976
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe/scomma "C:\Users\Admin\AppData\Local\Temp\saCf5HXdLD.ini"4⤵PID:1308
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2uU99cUwek.ini"4⤵
- Accesses Microsoft Outlook accounts
PID:892
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe/scomma "C:\Users\Admin\AppData\Local\Temp\MQtw4oOiCP.ini"4⤵PID:2012
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1336
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1240
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-564256041149079504577220460514268873734364839-802214138804075231336996315"1⤵PID:544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
255B
MD55a038de5785f40247bf119d830a74ccb
SHA1407954126f48a262f8683485aae195f7aa1d3b31
SHA256e5191803dee9f824fea2fdeab2951a15d4360cddad8cc20472c7e361a6633d04
SHA512586c7ddbc6d34bee4d5b8b7641bc92c0339ec1734fc3a26d52d70daedef460d29b78c467da6924a38f4bbc5b9eca8fca49a8e7878ace1bbf70fdf5be7e9ea5e8