isrstealer | 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
Size

799KB
MD5

67cb4b511fa77b68a2113ff100c19d3b
SHA1

149295633667f97ecaa61ad40d2643595175f262
SHA256

0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab
SHA512

d315d773a9800f3d69f22c18bf5aaf9935578a2283db695631389d8469fcfa7d6e94bdce894bd0f3f660721f6ae024203477b5567d188de7f25fc3680beb60a0
SSDEEP

12288:yDwlmijm7u6o2t8ZrZ0ULh//VauajOtAIqXb75idAPcQcguD4FPQxPfOAzfiS/JN:WV4vDrFVaJqaIqrUAMB4FPQxJ/J0T

Score

10^/10

isrstealer persistence stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 16 IoCs

resource	yara_rule
behavioral2/memory/4532-138-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/4532-152-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/3916-174-0x00000000069C0000-0x0000000006AC0000-memory.dmp	family_isrstealer
behavioral2/memory/4532-182-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/2488-199-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/2488-201-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/4344-214-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/4344-225-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/2832-243-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/2832-244-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/2888-262-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/2888-263-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/2596-281-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/2596-282-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/3896-300-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/3896-301-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer

NirSoft WebBrowserPassView 13 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/204-147-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/204-150-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/204-151-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/3916-171-0x00000000069C0000-0x0000000006AC0000-memory.dmp	WebBrowserPassView
behavioral2/memory/1004-196-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/1004-198-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/792-219-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/792-220-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/2284-242-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/2892-261-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/320-279-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/320-280-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/3756-299-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Nirsoft 13 IoCs

resource	yara_rule
behavioral2/memory/204-147-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/204-150-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/204-151-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/3916-171-0x00000000069C0000-0x0000000006AC0000-memory.dmp	Nirsoft
behavioral2/memory/1004-196-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/1004-198-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/792-219-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/792-220-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/2284-242-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/2892-261-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/320-279-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/320-280-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/3756-299-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XIPWmNN = "C:\\Users\\Admin\\AppData\\Roaming\\XIPWmNN.exe"	WScript.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 3916 set thread context of 4532	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	81
PID 4532 set thread context of 2536	4532	vbc.exe	82
PID 2536 set thread context of 204	2536	vbc.exe	83
PID 3916 set thread context of 2488	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	87
PID 2488 set thread context of 632	2488	cvtres.exe	88
PID 632 set thread context of 1004	632	cvtres.exe	89
PID 3916 set thread context of 4344	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	92
PID 4344 set thread context of 392	4344	vbc.exe	93
PID 392 set thread context of 792	392	vbc.exe	94
PID 3916 set thread context of 2832	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	101
PID 2832 set thread context of 4984	2832	csc.exe	102
PID 4984 set thread context of 2284	4984	csc.exe	103
PID 3916 set thread context of 2888	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	108
PID 2888 set thread context of 2444	2888	cvtres.exe	109
PID 2444 set thread context of 2892	2444	cvtres.exe	110
PID 3916 set thread context of 2596	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	113
PID 2596 set thread context of 1060	2596	csc.exe	114
PID 1060 set thread context of 320	1060	csc.exe	115
PID 3916 set thread context of 3896	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	118
PID 3896 set thread context of 3500	3896	csc.exe	119
PID 3500 set thread context of 3756	3500	csc.exe	120

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 7 IoCs

evasion

pid	Process
3068	Taskkill.exe
2192	Taskkill.exe
1212	Taskkill.exe
3840	Taskkill.exe
2096	Taskkill.exe
3528	Taskkill.exe
712	Taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
4532	vbc.exe
4532	vbc.exe
4532	vbc.exe
4532	vbc.exe
4532	vbc.exe
4532	vbc.exe
4532	vbc.exe
4532	vbc.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
Token: SeDebugPrivilege	2096	Taskkill.exe
Token: SeDebugPrivilege	3528	Taskkill.exe
Token: SeDebugPrivilege	712	Taskkill.exe
Token: SeDebugPrivilege	3068	Taskkill.exe
Token: SeDebugPrivilege	2192	Taskkill.exe
Token: SeDebugPrivilege	1212	Taskkill.exe
Token: SeDebugPrivilege	3840	Taskkill.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4532	vbc.exe
2488	cvtres.exe
4344	vbc.exe
2832	csc.exe
2888	cvtres.exe
2596	csc.exe
3896	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3892	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	78
PID 3916 wrote to memory of 3892	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	78
PID 3916 wrote to memory of 3892	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	78
PID 3916 wrote to memory of 728	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	80
PID 3916 wrote to memory of 728	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	80
PID 3916 wrote to memory of 728	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	80
PID 3916 wrote to memory of 4532	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	81
PID 3916 wrote to memory of 4532	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	81
PID 3916 wrote to memory of 4532	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	81
PID 3916 wrote to memory of 4532	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	81
PID 3916 wrote to memory of 4532	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	81
PID 3916 wrote to memory of 4532	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	81
PID 3916 wrote to memory of 4532	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	81
PID 3916 wrote to memory of 4532	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	81
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 4532 wrote to memory of 2536	4532	vbc.exe	82
PID 2536 wrote to memory of 204	2536	vbc.exe	83
PID 2536 wrote to memory of 204	2536	vbc.exe	83
PID 2536 wrote to memory of 204	2536	vbc.exe	83
PID 2536 wrote to memory of 204	2536	vbc.exe	83
PID 2536 wrote to memory of 204	2536	vbc.exe	83
PID 3916 wrote to memory of 2096	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	84
PID 3916 wrote to memory of 2096	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	84
PID 3916 wrote to memory of 2096	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	84
PID 3916 wrote to memory of 2488	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	87
PID 3916 wrote to memory of 2488	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	87
PID 3916 wrote to memory of 2488	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	87
PID 3916 wrote to memory of 2488	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	87
PID 3916 wrote to memory of 2488	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	87
PID 3916 wrote to memory of 2488	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	87
PID 3916 wrote to memory of 2488	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	87
PID 3916 wrote to memory of 2488	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	87
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 2488 wrote to memory of 632	2488	cvtres.exe	88
PID 632 wrote to memory of 1004	632	cvtres.exe	89
PID 632 wrote to memory of 1004	632	cvtres.exe	89
PID 632 wrote to memory of 1004	632	cvtres.exe	89
PID 632 wrote to memory of 1004	632	cvtres.exe	89
PID 632 wrote to memory of 1004	632	cvtres.exe	89
PID 3916 wrote to memory of 3528	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	90
PID 3916 wrote to memory of 3528	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	90
PID 3916 wrote to memory of 3528	3916	0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe	90

C:\Users\Admin\AppData\Local\Temp\0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
"C:\Users\Admin\AppData\Local\Temp\0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ren C:\Users\Admin\AppData\Roaming\XIPWmNN XIPWmNN.exe && exit
  2⤵
  PID:3892
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp344.vbs"
  2⤵
  - Adds Run key to start application
  PID:728
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
      4⤵
      PID:204
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /f /im csc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
      4⤵
      PID:1004
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /f /im csc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:4344
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
      4⤵
      PID:792
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /f /im csc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:712
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:2832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:4984
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
      4⤵
      PID:2284
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /f /im csc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:2888
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:2444
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
      4⤵
      PID:2892
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /f /im csc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:2596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:1060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
      4⤵
      PID:320
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /f /im csc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:3896
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:3500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
      4⤵
      PID:3756
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /f /im csc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C6CB7F08D18153E44672D7BE969FFEDF

Filesize
503B

MD5
86dc349215cb12b97a82f27ced7d4a8d

SHA1
504736b4080560d9bfbdb15bf0adc99b9eee7806

SHA256
bd06227d721c84aa6754c9abdbdb889358277906556ed38f51377110135913f7

SHA512
2f1fbffb447caec50b513cea8b52a8abe8f916af3b1226eddd96033f6d737dfedb97269376cbd1fe2979246b78fcf5008ecffc2928d233baa6fe90bce9c56159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
57039f0f59221ab8522caec4c9349a37

SHA1
cc05e73efe574d14ca89422bfb4febb36a5a2687

SHA256
e2685c49ff5f61a2b43a90a8f367f9f5811148add5b6ba060ac3cb3b10af0f7c

SHA512
ba87f6abef473116f2ccd45556852c8df776e80d62df1b1d340f22ffb1461810ea12b6b4efa86ba2fa86d5f1d8d851a03d7bf93ffa13993d487c1cb1f2b438ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6CB7F08D18153E44672D7BE969FFEDF

Filesize
552B

MD5
e97149824b1eabf6fef75a99040a89d4

SHA1
26165a0ea0973853549524df5660ffde347a8c68

SHA256
3965dac3a482af7611708393e00bc3cff37d1415fc86fc4c2d28597008b5c111

SHA512
619ded5e16257e107cf191acf7658255369fed179f532312fe0f3e08ef3cb8d14faa4b67e155959e6948e6fecc224d0549d7c3bf7ea3a0ba01fbd07266772ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp344.vbs

Filesize
252B

MD5
c10e946c362363acc20b684b4ec40bea

SHA1
26df82fcda0e6c0625055757507d9d5876cfd3d4

SHA256
46f69a124ff9f3db37ccedc5034bb412a9a9e624968df9717d928270eca0aa71

SHA512
95d42b57f4d3586ed9d9d49c32c31bf3ca319a65ad2f04d7170f02ed5bcbe392e25a1a1ad73a63f91facbaeaf50a07475f2342e2a6133e0700b85a644fcdf535

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.dmp

Filesize
54B

MD5
c10dbeca73f8835240e08e4511284b83

SHA1
0032f8f941cc07768189ca6ba32b1beede6b6917

SHA256
0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e

SHA512
34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.dmp

Filesize
54B

MD5
c10dbeca73f8835240e08e4511284b83

SHA1
0032f8f941cc07768189ca6ba32b1beede6b6917

SHA256
0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e

SHA512
34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.dmp

Filesize
54B

MD5
c10dbeca73f8835240e08e4511284b83

SHA1
0032f8f941cc07768189ca6ba32b1beede6b6917

SHA256
0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e

SHA512
34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.dmp

Filesize
54B

MD5
c10dbeca73f8835240e08e4511284b83

SHA1
0032f8f941cc07768189ca6ba32b1beede6b6917

SHA256
0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e

SHA512
34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.dmp

Filesize
54B

MD5
c10dbeca73f8835240e08e4511284b83

SHA1
0032f8f941cc07768189ca6ba32b1beede6b6917

SHA256
0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e

SHA512
34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.dmp

Filesize
54B

MD5
c10dbeca73f8835240e08e4511284b83

SHA1
0032f8f941cc07768189ca6ba32b1beede6b6917

SHA256
0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e

SHA512
34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

Download Submit
C:\Users\Admin\AppData\Roaming\XIPWmNN

Filesize
799KB

MD5
67cb4b511fa77b68a2113ff100c19d3b

SHA1
149295633667f97ecaa61ad40d2643595175f262

SHA256
0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab

SHA512
d315d773a9800f3d69f22c18bf5aaf9935578a2283db695631389d8469fcfa7d6e94bdce894bd0f3f660721f6ae024203477b5567d188de7f25fc3680beb60a0

Download Submit
memory/204-147-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/204-150-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/204-151-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/320-280-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/320-279-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/392-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/632-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/792-220-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-219-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1004-198-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1004-196-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1060-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-242-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2444-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-201-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2488-199-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2536-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-281-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2596-282-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2832-243-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2832-244-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2888-262-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2888-263-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2892-261-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3500-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3756-299-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3896-300-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3896-301-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3916-164-0x0000000001449000-0x000000000144E000-memory.dmp

Filesize
20KB

Download
memory/3916-175-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-170-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-169-0x0000000001449000-0x000000000144F000-memory.dmp

Filesize
24KB

Download
memory/3916-203-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-168-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-167-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3916-181-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-166-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-165-0x0000000001445000-0x0000000001448000-memory.dmp

Filesize
12KB

Download
memory/3916-200-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-171-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-132-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3916-163-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-162-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-172-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-161-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-173-0x0000000001445000-0x000000000144E000-memory.dmp

Filesize
36KB

Download
memory/3916-174-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-180-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-160-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-159-0x0000000001445000-0x000000000144E000-memory.dmp

Filesize
36KB

Download
memory/3916-158-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-157-0x0000000001445000-0x000000000144E000-memory.dmp

Filesize
36KB

Download
memory/3916-156-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-155-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-154-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-153-0x0000000001449000-0x000000000144F000-memory.dmp

Filesize
24KB

Download
memory/3916-179-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-178-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/3916-177-0x00000000069C0000-0x0000000006AC0000-memory.dmp

Filesize
1024KB

Download
memory/4344-214-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4344-225-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4532-138-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4532-152-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4532-182-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4984-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download