Analysis
-
max time kernel
41s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
27-11-2022 13:50
General
-
Target
ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
-
Size
648KB
-
MD5
894076096dbed940112524f6f4c5e03e
-
SHA1
708137b59727628d351d3b13f10c5630ec7127be
-
SHA256
ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c
-
SHA512
78520cf458378e6d646caa1ae2e1baaafeb3c4f2299c40c6575b64f5e76d0bb6daba34451ebf6e51fe93a8a2a43ae510200b8be46e1209cd87fa75cb6963ae2c
-
SSDEEP
12288:LW6hqMI1GJsvLBOyEtoWW6hqMI1GJsvLBOyEto1X:LW6hqMIcJgBvEtoWW6hqMIcJgBvEto1X
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 13 IoCs
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
-
Nirsoft 3 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe"C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe/scomma "C:\Users\Admin\AppData\Local\Temp\qeB8LQIoWc.ini"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ZXxiWCdy7X.ini"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
-
-
C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe"C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe/scomma "C:\Users\Admin\AppData\Local\Temp\qeB8LQIoWc.ini"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe/scomma "C:\Users\Admin\AppData\Local\Temp\Hn3nAe9nYe.ini"3⤵
- Accesses Microsoft Outlook accounts
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD576e7d5bf61b2e80d159f88aa9798ce91
SHA132a46de50c9c02b068e39cf49b78c7e2d5ace20d
SHA256280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3
SHA5125efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4
-
Filesize
61KB
MD53dcf580a93972319e82cafbc047d34d5
SHA18528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA25640810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA51298384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42
-
Filesize
61KB
MD53dcf580a93972319e82cafbc047d34d5
SHA18528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA25640810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA51298384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42
-
Filesize
1KB
MD5916c512d221c683beeea9d5cb311b0b0
SHA1bf0db4b1c4566275b629efb095b6ff8857b5748e
SHA25664a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8
SHA512af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c
-
Filesize
472B
MD5b5170f55c5fd102cd23a641a76db5095
SHA19c9855182d6d8c7d281a88eb74c4ad964c166d51
SHA25687cd0f31cae591c772a1ce76a198c8480e575b163cfcde3a0a191ae7a491e6e8
SHA512b503d73c7b9e99a0f43c0fea92a2b8f49bfb164a2ef290f69860dd20623c735199f6b3abbaac472585365d71c3551e006bcef504456fcd728d7f781fe1d568c0
-
Filesize
488B
MD5e3f1421cf82795e426478a9e4e574f27
SHA16cfdc5cd3d3b6fc08e2997c4d9c251442f7ef8e1
SHA256a71a635c143c0ad9e79aa035a09dc216026a40285589782d5ceb86a79765b0e9
SHA5122f17ee0611beb501a7fffc3de115e9df7aa979e0ca49a803993ed1312c5765795c42a7b11caf4e86ac2b8aeb99730f93e325d56a23f385ee3b582b79d6decb81
-
Filesize
342B
MD5e422f4dfcbb3b9e6da6416770bbdbf34
SHA1cbac72e2fef3973bdff6b13b0ad94d5e8bca6598
SHA256e2dcac1ce9a9c6643edf8126efeec29698035cc3e821c8a15467f7762c965ab8
SHA512fdcbc4e83dd6cfe8e630bfd0367789b657f89b29b8aaaa8d688269b43f07aeeb89df37698ca6cc2a07296c7d0fbabb268619b773e2550d330299f064e3964c0c
-
Filesize
342B
MD54f872c74fc97a0f2a11ae35b5cb8f72c
SHA14198e02a49e4bd6df7f05ddad0b24c68296aa9ef
SHA25637ceee56a55f3fb8cb332985f99e1ceaad01bfe3e5d5bdeb146b1e7657864363
SHA51267c323fd6630bfaf4071108a36e0a3941255d8df7941e497920dd044832310f16537dfcaf7ab5c45180080249c2f893c0afd44ddc1db027d2df89cfc25f24f1b
-
Filesize
342B
MD562324056933cc9fe5cca5ad4a242da95
SHA121c954ad8712f493a244edad89e9e794b95e6a84
SHA256a23e64a580ce9b836755fd52992f9f5e8d3690d6ac511b2db047871cac9bd28a
SHA5126e131e068bb1da237a8776c9b67833418442e1697b72a3fe5589d2a29d73cb72330ba91f62f9bae804ca855c3950b0b8221241c4d7b95cd2eeb3d0863f1ca6ad
-
Filesize
342B
MD5f112f56437a70acc63468f9be10f50c1
SHA1d9e48ab300fa2503166c5b0ec669892350abf4e2
SHA25604dfb85b1d383629c4cf00754b7ea040c9756d1632f9a7af15375cd394fdcb76
SHA5122a8a1ef5e6b203390056fbd36a2e887dd356a380d3a8d12f854dcb1f73969f89a6052bd5d887eababd9cbb9a7b699a9a192ad0cf9041e56485d595f375495c8a
-
Filesize
482B
MD5a15029147206e9dc28d89003789a9547
SHA151c3dbe2e64ad42291fee0985d199a4cef74355d
SHA2563084cc22f32b384e49ba0ae44b314cdeb88138aecaa478ef9dba3a50e5d1bc19
SHA512c784b9fa0a8248b73715d14bcb16744770f53fcc3df47f1a2d99e2b6b9d7ff66ed4a0239dbb2a2d1f186f9ad9ef8255d5f8ed5a542df25be6f6a4884a0bce92a
-
Filesize
484B
MD5dd3e079261df8bd7f7f754e80d12afcd
SHA11696d091b9418ba55bb2588ff228d071159cf098
SHA25653fcd963aff8d6d0f7e4c7631b155dba1804527592fa61ccccb191c0099293b7
SHA512ad406796dc9ae9aa68b6ce7ca1d4e65a6fb19d3d2dcd601cdb4c491331fddb279fd2a6f92855f4ecb6074688b6e60a665c0f19b125c865880592798dff2de627
-
Filesize
260KB
MD541d7addcd76dd58c8133bdd7fe4f4842
SHA1b561ecda6f23d843ddb29b0d9fe9afda1493e3e0
SHA2560582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af
SHA5124b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3
-
Filesize
260KB
MD541d7addcd76dd58c8133bdd7fe4f4842
SHA1b561ecda6f23d843ddb29b0d9fe9afda1493e3e0
SHA2560582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af
SHA5124b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3
-
Filesize
260KB
MD541d7addcd76dd58c8133bdd7fe4f4842
SHA1b561ecda6f23d843ddb29b0d9fe9afda1493e3e0
SHA2560582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af
SHA5124b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3
-
Filesize
260KB
MD541d7addcd76dd58c8133bdd7fe4f4842
SHA1b561ecda6f23d843ddb29b0d9fe9afda1493e3e0
SHA2560582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af
SHA5124b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
260KB
MD541d7addcd76dd58c8133bdd7fe4f4842
SHA1b561ecda6f23d843ddb29b0d9fe9afda1493e3e0
SHA2560582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af
SHA5124b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3
-
Filesize
260KB
MD541d7addcd76dd58c8133bdd7fe4f4842
SHA1b561ecda6f23d843ddb29b0d9fe9afda1493e3e0
SHA2560582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af
SHA5124b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3
-
Filesize
260KB
MD541d7addcd76dd58c8133bdd7fe4f4842
SHA1b561ecda6f23d843ddb29b0d9fe9afda1493e3e0
SHA2560582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af
SHA5124b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3
-
Filesize
260KB
MD541d7addcd76dd58c8133bdd7fe4f4842
SHA1b561ecda6f23d843ddb29b0d9fe9afda1493e3e0
SHA2560582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af
SHA5124b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
24KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB