isrstealer | 069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe
Size

1.2MB
MD5

122385771337be68407411abbb90c8ad
SHA1

8fdaa9b64239281ce74b5028a59d43d0551549c1
SHA256

069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3
SHA512

f8162ea96469fe4510172daa0d33c66e190f950d73d441895f1dcaf783866c385fba97509c5b4e0e81d77aea5aca5702dfbf42ef0bf85d75336e2036d2994c12
SSDEEP

24576:FIF6nnjqKoev8IgX9ERDoV4z+o25YV6HJfzag4D9vw9UpFTMZD6:FIojqKoevieRUeKYON4D9uULMZD6

Score

10^/10

isrstealer stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4972-152-0x0000000000400000-0x0000000000448000-memory.dmp	family_isrstealer
behavioral2/memory/4972-157-0x0000000000400000-0x0000000000448000-memory.dmp	family_isrstealer
behavioral2/memory/4972-161-0x0000000000400000-0x0000000000448000-memory.dmp	family_isrstealer
behavioral2/memory/4972-162-0x0000000000400000-0x0000000000448000-memory.dmp	family_isrstealer

Executes dropped EXE 1 IoCs

pid	Process
964	QhuAqp.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2040-139-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/2040-141-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/2040-142-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/2040-145-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/4972-149-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/4972-151-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/4972-152-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/4972-157-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/2040-160-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/4972-161-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/4972-162-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 964 set thread context of 2040	964	QhuAqp.exe	80
PID 2040 set thread context of 4972	2040	svchost.exe	81
PID 4972 set thread context of 1860	4972	svchost.exe	82
PID 4972 set thread context of 3300	4972	svchost.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4712	1860	WerFault.exe	82
912	3300	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
964	QhuAqp.exe
964	QhuAqp.exe
964	QhuAqp.exe
964	QhuAqp.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
964	QhuAqp.exe
964	QhuAqp.exe
964	QhuAqp.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
964	QhuAqp.exe
964	QhuAqp.exe
964	QhuAqp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2040	svchost.exe
4972	svchost.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 964	808	069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe	79
PID 808 wrote to memory of 964	808	069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe	79
PID 808 wrote to memory of 964	808	069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe	79
PID 964 wrote to memory of 2040	964	QhuAqp.exe	80
PID 964 wrote to memory of 2040	964	QhuAqp.exe	80
PID 964 wrote to memory of 2040	964	QhuAqp.exe	80
PID 964 wrote to memory of 2040	964	QhuAqp.exe	80
PID 964 wrote to memory of 2040	964	QhuAqp.exe	80
PID 964 wrote to memory of 2040	964	QhuAqp.exe	80
PID 964 wrote to memory of 2040	964	QhuAqp.exe	80
PID 964 wrote to memory of 2040	964	QhuAqp.exe	80
PID 2040 wrote to memory of 4972	2040	svchost.exe	81
PID 2040 wrote to memory of 4972	2040	svchost.exe	81
PID 2040 wrote to memory of 4972	2040	svchost.exe	81
PID 2040 wrote to memory of 4972	2040	svchost.exe	81
PID 2040 wrote to memory of 4972	2040	svchost.exe	81
PID 2040 wrote to memory of 4972	2040	svchost.exe	81
PID 2040 wrote to memory of 4972	2040	svchost.exe	81
PID 2040 wrote to memory of 4972	2040	svchost.exe	81
PID 4972 wrote to memory of 1860	4972	svchost.exe	82
PID 4972 wrote to memory of 1860	4972	svchost.exe	82
PID 4972 wrote to memory of 1860	4972	svchost.exe	82
PID 4972 wrote to memory of 1860	4972	svchost.exe	82
PID 4972 wrote to memory of 1860	4972	svchost.exe	82
PID 4972 wrote to memory of 1860	4972	svchost.exe	82
PID 4972 wrote to memory of 1860	4972	svchost.exe	82
PID 4972 wrote to memory of 1860	4972	svchost.exe	82
PID 4972 wrote to memory of 3300	4972	svchost.exe	86
PID 4972 wrote to memory of 3300	4972	svchost.exe	86
PID 4972 wrote to memory of 3300	4972	svchost.exe	86
PID 4972 wrote to memory of 3300	4972	svchost.exe	86
PID 4972 wrote to memory of 3300	4972	svchost.exe	86
PID 4972 wrote to memory of 3300	4972	svchost.exe	86
PID 4972 wrote to memory of 3300	4972	svchost.exe	86
PID 4972 wrote to memory of 3300	4972	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe
"C:\Users\Admin\AppData\Local\Temp\069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe" "EPmfcM"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Windows\SysWOW64\svchost.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\yZSF9a2my5.ini"
        5⤵
        
        PID:1860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 20
        6⤵
        Program crash
        
        PID:4712
    - - C:\Windows\SysWOW64\svchost.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\ULstFJMTd2.ini"
        5⤵
        
        PID:3300
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 84
        6⤵
        Program crash
        
        PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1860 -ip 1860
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3300 -ip 3300
1⤵
PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\EPmfcM

Filesize
4KB

MD5
c33972de451728010b789db71ca96ea2

SHA1
ef76706b8b11e3ca38021ea16eae228b2d2266f1

SHA256
38131c761147fb9520c835f21af120cc2d8dbb855cf9d50608941cc85bf3bc20

SHA512
b84ef73aafc3c6e23d2aab693f3804ff42f488fc779889d0443df704f4462e20ac6d6101fd0ad6aa0da2a9666bf4b2d59b20a3b00453116d524a706fe568f67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FewQAG.exe

Filesize
102KB

MD5
db2e369382ce29caf06f8a1fe2055d9c

SHA1
a64694660758632d4733d83c15519e23c1c37bdd

SHA256
f4b43f39c7f49489c6b6087951477be241af9977a9b65ea09ce0d88df91014b6

SHA512
0e6c6d4da3c246f54830b23bd017cfff9412769e4f217a30b64a1fe096afe0fe138e479b15faa48bc09a47a4f42a5bd97476740a71f24b28567ffb5eebb67bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RwFLOJ.txt

Filesize
876KB

MD5
8f0fbb38e468f1c804b281ee7329690c

SHA1
a215fc648bd7ee49976d28161f8b39aa34264738

SHA256
b6fa531a4038ad200a69f6401243d928b80dbcd7bbc29d3accb4c21b7a3dc53f

SHA512
68e96b836dda6f6c7934087034ec84c96396271c2bfba585b2296f4b30cc127561a75ffa07f1bd5444fdc87240f652daa9fc4d94d01e39a61f28d51baedba611

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
db2e369382ce29caf06f8a1fe2055d9c

SHA1
a64694660758632d4733d83c15519e23c1c37bdd

SHA256
f4b43f39c7f49489c6b6087951477be241af9977a9b65ea09ce0d88df91014b6

SHA512
0e6c6d4da3c246f54830b23bd017cfff9412769e4f217a30b64a1fe096afe0fe138e479b15faa48bc09a47a4f42a5bd97476740a71f24b28567ffb5eebb67bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.txt

Filesize
876KB

MD5
8f0fbb38e468f1c804b281ee7329690c

SHA1
a215fc648bd7ee49976d28161f8b39aa34264738

SHA256
b6fa531a4038ad200a69f6401243d928b80dbcd7bbc29d3accb4c21b7a3dc53f

SHA512
68e96b836dda6f6c7934087034ec84c96396271c2bfba585b2296f4b30cc127561a75ffa07f1bd5444fdc87240f652daa9fc4d94d01e39a61f28d51baedba611

Download Submit
memory/2040-145-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2040-141-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2040-139-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2040-142-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2040-160-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4972-152-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-157-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-151-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-149-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-161-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-162-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download