Overview

overview

10

Static

static

0273f41941...ab.exe

windows7-x64

10

0273f41941...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    110s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe

  • Size

    799KB

  • MD5

    67cb4b511fa77b68a2113ff100c19d3b

  • SHA1

    149295633667f97ecaa61ad40d2643595175f262

  • SHA256

    0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab

  • SHA512

    d315d773a9800f3d69f22c18bf5aaf9935578a2283db695631389d8469fcfa7d6e94bdce894bd0f3f660721f6ae024203477b5567d188de7f25fc3680beb60a0

  • SSDEEP

    12288:yDwlmijm7u6o2t8ZrZ0ULh//VauajOtAIqXb75idAPcQcguD4FPQxPfOAzfiS/JN:WV4vDrFVaJqaIqrUAMB4FPQxJ/J0T

Score
10/10
isrstealerpersistencestealertrojan

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 5 IoCs
  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
    "C:\Users\Admin\AppData\Local\Temp\0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ren C:\Users\Admin\AppData\Roaming\XIPWmNN XIPWmNN.exe && exit
      2⤵
        PID:1740
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp344.vbs"
        2⤵
        • Adds Run key to start application
        PID:1412
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:560
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
            4⤵
              PID:1624

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Temp344.vbs
        Filesize

        252B

        MD5

        c10e946c362363acc20b684b4ec40bea

        SHA1

        26df82fcda0e6c0625055757507d9d5876cfd3d4

        SHA256

        46f69a124ff9f3db37ccedc5034bb412a9a9e624968df9717d928270eca0aa71

        SHA512

        95d42b57f4d3586ed9d9d49c32c31bf3ca319a65ad2f04d7170f02ed5bcbe392e25a1a1ad73a63f91facbaeaf50a07475f2342e2a6133e0700b85a644fcdf535

        Download Submit

      • C:\Users\Admin\AppData\Roaming\XIPWmNN
        Filesize

        799KB

        MD5

        67cb4b511fa77b68a2113ff100c19d3b

        SHA1

        149295633667f97ecaa61ad40d2643595175f262

        SHA256

        0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab

        SHA512

        d315d773a9800f3d69f22c18bf5aaf9935578a2283db695631389d8469fcfa7d6e94bdce894bd0f3f660721f6ae024203477b5567d188de7f25fc3680beb60a0

        Download Submit

      • memory/560-76-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/560-84-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/560-82-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/560-85-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/560-80-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/560-91-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/560-78-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/560-75-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/560-71-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/560-72-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/560-74-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

        Download

      • memory/1624-88-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1624-94-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1624-86-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1624-95-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1624-96-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1816-66-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1816-60-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1816-97-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1816-77-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1816-63-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1816-61-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2036-55-0x00000000745A0000-0x0000000074B4B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2036-79-0x0000000000515000-0x0000000000526000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2036-98-0x00000000745A0000-0x0000000074B4B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2036-99-0x0000000000515000-0x0000000000526000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2036-100-0x00000000745A0000-0x0000000074B4B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2036-101-0x0000000000515000-0x0000000000526000-memory.dmp

        Filesize

        68KB

        Download