Overview

overview

10

Static

static

ec889c7b55...9c.exe

windows7-x64

10

ec889c7b55...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe

  • Size

    648KB

  • MD5

    894076096dbed940112524f6f4c5e03e

  • SHA1

    708137b59727628d351d3b13f10c5630ec7127be

  • SHA256

    ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c

  • SHA512

    78520cf458378e6d646caa1ae2e1baaafeb3c4f2299c40c6575b64f5e76d0bb6daba34451ebf6e51fe93a8a2a43ae510200b8be46e1209cd87fa75cb6963ae2c

  • SSDEEP

    12288:LW6hqMI1GJsvLBOyEtoWW6hqMI1GJsvLBOyEto1X:LW6hqMIcJgBvEtoWW6hqMIcJgBvEto1X

Score
10/10
isrstealercollectionspywarestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 9 IoCs
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • Nirsoft 5 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
    "C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\KpkBtevw45.ini"
        3⤵
        • Executes dropped EXE
        PID:3600
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\uBygUjjUDR.ini"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook accounts
        PID:5008
    • C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
      "C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4256
      • C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\exBSOFwRsj.ini"
        3⤵
          PID:4724
        • C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\uBygUjjUDR.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:4412

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      2KB

      MD5

      76e7d5bf61b2e80d159f88aa9798ce91

      SHA1

      32a46de50c9c02b068e39cf49b78c7e2d5ace20d

      SHA256

      280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3

      SHA512

      5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      1KB

      MD5

      916c512d221c683beeea9d5cb311b0b0

      SHA1

      bf0db4b1c4566275b629efb095b6ff8857b5748e

      SHA256

      64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8

      SHA512

      af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C6872375A2E1BC120603F5605C3CEC71
      Filesize

      472B

      MD5

      b5170f55c5fd102cd23a641a76db5095

      SHA1

      9c9855182d6d8c7d281a88eb74c4ad964c166d51

      SHA256

      87cd0f31cae591c772a1ce76a198c8480e575b163cfcde3a0a191ae7a491e6e8

      SHA512

      b503d73c7b9e99a0f43c0fea92a2b8f49bfb164a2ef290f69860dd20623c735199f6b3abbaac472585365d71c3551e006bcef504456fcd728d7f781fe1d568c0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      488B

      MD5

      6620005514f3af001a7b5bd25f0f8120

      SHA1

      62534c1aad783151d81eb92c0a0886fd079e2bbd

      SHA256

      8abfb252be76739083d33394da802f69c490193b1c7ca6372c43ff9f7fc7b18e

      SHA512

      3dd5b76e2bc03b91fab2f2428568c174cede3ebd6242fa85a3ee4c2b18ef5acff23ab3093e69477272eb2936fbcce638632ab4019ac6e2d25e1697fecf53b9d2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      e2641d8a2d196387c2c07f7c50a3910e

      SHA1

      7d1107e5bd57d8a73039ea6af68e9365936569f6

      SHA256

      81bad4f3841680ffadb7e5a4a19956932dabb6ee8cafd76bb8d9367c06649139

      SHA512

      7cc9b8272868e4dadac1e81130e5977406db4a09529a97616c84aad805abaa8d5994589fdcfc365b4a3d5bd80b9e55c0b4134573f122d6b9669f56a43f3397c6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      e2641d8a2d196387c2c07f7c50a3910e

      SHA1

      7d1107e5bd57d8a73039ea6af68e9365936569f6

      SHA256

      81bad4f3841680ffadb7e5a4a19956932dabb6ee8cafd76bb8d9367c06649139

      SHA512

      7cc9b8272868e4dadac1e81130e5977406db4a09529a97616c84aad805abaa8d5994589fdcfc365b4a3d5bd80b9e55c0b4134573f122d6b9669f56a43f3397c6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6872375A2E1BC120603F5605C3CEC71
      Filesize

      484B

      MD5

      9c0497baf9a047af7b35ca60b6f20741

      SHA1

      d6844a200e160070bcf0270dd812f53e772ba400

      SHA256

      c55ee2d0f70311a17ef65d6a49670b9f6c78d72bef630a070a8cfe845e0b1db8

      SHA512

      afebe18ab7bcfee410d1e44cfa8c5db986491901c99cea92472f34ddd7cf776b9513c4aafab596835a005aa0d34a8b53e6334547e5871b57b64c56fdf72ee346

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\KpkBtevw45.ini
      Filesize

      5B

      MD5

      d1ea279fb5559c020a1b4137dc4de237

      SHA1

      db6f8988af46b56216a6f0daf95ab8c9bdb57400

      SHA256

      fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

      SHA512

      720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      260KB

      MD5

      41d7addcd76dd58c8133bdd7fe4f4842

      SHA1

      b561ecda6f23d843ddb29b0d9fe9afda1493e3e0

      SHA256

      0582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af

      SHA512

      4b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      260KB

      MD5

      41d7addcd76dd58c8133bdd7fe4f4842

      SHA1

      b561ecda6f23d843ddb29b0d9fe9afda1493e3e0

      SHA256

      0582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af

      SHA512

      4b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      260KB

      MD5

      41d7addcd76dd58c8133bdd7fe4f4842

      SHA1

      b561ecda6f23d843ddb29b0d9fe9afda1493e3e0

      SHA256

      0582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af

      SHA512

      4b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      260KB

      MD5

      41d7addcd76dd58c8133bdd7fe4f4842

      SHA1

      b561ecda6f23d843ddb29b0d9fe9afda1493e3e0

      SHA256

      0582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af

      SHA512

      4b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\exBSOFwRsj.ini
      Filesize

      5B

      MD5

      d1ea279fb5559c020a1b4137dc4de237

      SHA1

      db6f8988af46b56216a6f0daf95ab8c9bdb57400

      SHA256

      fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

      SHA512

      720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

      Download Submit

    • memory/1556-141-0x0000000002B10000-0x0000000002B16000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1556-134-0x0000000002B10000-0x0000000002B16000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3600-158-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3600-155-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4256-182-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4256-154-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4256-181-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4256-142-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4412-175-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4412-177-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4412-179-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4724-147-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4724-152-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4724-157-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/5008-170-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/5008-180-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download