isrstealer | 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6

Analysis

max time kernel
151s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
Size

552KB
MD5

71ee4719874a577f4aacabe52668f341
SHA1

4e61f9699f3ff32871b493fcda3ee134d681a64a
SHA256

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6
SHA512

147fd4618892c26ae9d00bee91416e3697b7e656cba21bd5fdd168e23026f7db70cfd1eadf8957b690152e31ac852c67d80d829142a47b5ab0fc7fa4fdd2096b
SSDEEP

6144:DooqCevklyNpFiq+6sqjBkEs2P+avFpPK39pe58EJGGdYBZvd9OVqq65scTiK/Rd:D6ZkENWgtvrwpeaHgS/OVqqys5DYH

Score

10^/10

isrstealer stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3212-135-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3212-137-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3212-148-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3212-152-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	90
PID 3212 set thread context of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 2544 set thread context of 4124	2544	takshost.exe	92
PID 3212 set thread context of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
2544	takshost.exe
2544	takshost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
Token: SeDebugPrivilege	2544	takshost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	90
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	90
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	90
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	90
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	90
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	90
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	90
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 1632 wrote to memory of 2544	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	91
PID 1632 wrote to memory of 2544	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	91
PID 1632 wrote to memory of 2544	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	91
PID 2544 wrote to memory of 4124	2544	takshost.exe	92
PID 2544 wrote to memory of 4124	2544	takshost.exe	92
PID 2544 wrote to memory of 4124	2544	takshost.exe	92
PID 2544 wrote to memory of 4124	2544	takshost.exe	92
PID 2544 wrote to memory of 4124	2544	takshost.exe	92
PID 2544 wrote to memory of 4124	2544	takshost.exe	92
PID 2544 wrote to memory of 4124	2544	takshost.exe	92
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
"C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
  "C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3212
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
    3⤵
    PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/0-151-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/0-140-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1632-133-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-132-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-142-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2544-149-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2544-150-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2544-143-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3212-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download