Overview

overview

10

Static

static

e2dadd4afd...d0.exe

windows7-x64

10

e2dadd4afd...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    196s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2dadd4afd1670177335f5426022a13a795b5a202e11b17f281ebcd0ee6b78d0.exe

  • Size

    736KB

  • MD5

    acfe17220eed492d5b3b5b85cba17f27

  • SHA1

    5725d2196c2eb9649d57aa6891381521968cff6d

  • SHA256

    e2dadd4afd1670177335f5426022a13a795b5a202e11b17f281ebcd0ee6b78d0

  • SHA512

    f8e4fe56aea6b86fa828e970ead3d957d39de883e64dd19d1f199079b58b8855d209723707bb16192fc6a5c9e276834f41011fc955389184388bf0bf2bc0d96a

  • SSDEEP

    12288:1C0FSVMHdOacQlm0vTMsAdAqcaONPLMjgjgjgjgjgjgjgjgjgjgjgjgjgjgjgjgq:v8oOLQQoOdAq4NHKK

Score
10/10
isrstealerpersistencespywarestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 5 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2dadd4afd1670177335f5426022a13a795b5a202e11b17f281ebcd0ee6b78d0.exe
    "C:\Users\Admin\AppData\Local\Temp\e2dadd4afd1670177335f5426022a13a795b5a202e11b17f281ebcd0ee6b78d0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Users\Admin\AppData\Local\Temp\e2dadd4afd1670177335f5426022a13a795b5a202e11b17f281ebcd0ee6b78d0.exe
      "C:\Users\Admin\AppData\Local\Temp\e2dadd4afd1670177335f5426022a13a795b5a202e11b17f281ebcd0ee6b78d0.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Users\Admin\AppData\Local\Temp\e2dadd4afd1670177335f5426022a13a795b5a202e11b17f281ebcd0ee6b78d0.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\dEcPmLvkEw.ini"
        3⤵
          PID:2020
        • C:\Users\Admin\AppData\Local\Temp\1.exe
          C:\Users\Admin\AppData\Local\Temp\1.exe
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3432
          • C:\Users\Admin\AppData\Local\Temp\gfdgfd.Exe
            "C:\Users\Admin\AppData\Local\Temp\gfdgfd.Exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4856
            • C:\Users\Admin\AppData\Roaming\{0664ECA6-B456-E195-1216-E87E3554727E}\dll.exe
              C:\Users\Admin\AppData\Roaming\{0664ECA6-B456-E195-1216-E87E3554727E}\dll.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3148
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\x.bat
              5⤵
                PID:4456

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1.exe
        Filesize

        160KB

        MD5

        696402f485b8d7cf3e14866610618e92

        SHA1

        af352f96f40c25220a603238e2223aa031122aeb

        SHA256

        cfa324edeb2e91ad7e14ea6b7eca519d33f74bb980186d3cef7b396b85719440

        SHA512

        cb8744b97db2050063470da89d7d3b3f7ec0c1240bcf6472603df7287ee05d0ffbf6a084c68e7527b5ba5ee266d0d5a70cd924ebbeb03e22fe10afb49383d48d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1.exe
        Filesize

        160KB

        MD5

        696402f485b8d7cf3e14866610618e92

        SHA1

        af352f96f40c25220a603238e2223aa031122aeb

        SHA256

        cfa324edeb2e91ad7e14ea6b7eca519d33f74bb980186d3cef7b396b85719440

        SHA512

        cb8744b97db2050063470da89d7d3b3f7ec0c1240bcf6472603df7287ee05d0ffbf6a084c68e7527b5ba5ee266d0d5a70cd924ebbeb03e22fe10afb49383d48d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\dEcPmLvkEw.ini
        Filesize

        5B

        MD5

        d1ea279fb5559c020a1b4137dc4de237

        SHA1

        db6f8988af46b56216a6f0daf95ab8c9bdb57400

        SHA256

        fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

        SHA512

        720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gfdgfd.Exe
        Filesize

        184KB

        MD5

        2e9c2a02021677d34195c55643497bae

        SHA1

        cd1337ecfec14055c664e9b079a49b2140d0aeb1

        SHA256

        c4ba24c4a51af58b6cf657d775ffb2e7813285088e53b46099d77226cd9f1f66

        SHA512

        3b00639ab1fe57e6838b1e375ff725c5b9871ae7d3e3c580002a5dd9c823ecadb2c8e4369ac17ba8933d2663857cfc6d41a843bc9a2d98e1a03102258a9745ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gfdgfd.Exe
        Filesize

        184KB

        MD5

        2e9c2a02021677d34195c55643497bae

        SHA1

        cd1337ecfec14055c664e9b079a49b2140d0aeb1

        SHA256

        c4ba24c4a51af58b6cf657d775ffb2e7813285088e53b46099d77226cd9f1f66

        SHA512

        3b00639ab1fe57e6838b1e375ff725c5b9871ae7d3e3c580002a5dd9c823ecadb2c8e4369ac17ba8933d2663857cfc6d41a843bc9a2d98e1a03102258a9745ba

        Download Submit

      • C:\Users\Admin\AppData\Roaming\{0664ECA6-B456-E195-1216-E87E3554727E}\dll.exe
        Filesize

        184KB

        MD5

        2e9c2a02021677d34195c55643497bae

        SHA1

        cd1337ecfec14055c664e9b079a49b2140d0aeb1

        SHA256

        c4ba24c4a51af58b6cf657d775ffb2e7813285088e53b46099d77226cd9f1f66

        SHA512

        3b00639ab1fe57e6838b1e375ff725c5b9871ae7d3e3c580002a5dd9c823ecadb2c8e4369ac17ba8933d2663857cfc6d41a843bc9a2d98e1a03102258a9745ba

        Download Submit

      • C:\Users\Admin\AppData\Roaming\{0664ECA6-B456-E195-1216-E87E3554727E}\dll.exe
        Filesize

        184KB

        MD5

        2e9c2a02021677d34195c55643497bae

        SHA1

        cd1337ecfec14055c664e9b079a49b2140d0aeb1

        SHA256

        c4ba24c4a51af58b6cf657d775ffb2e7813285088e53b46099d77226cd9f1f66

        SHA512

        3b00639ab1fe57e6838b1e375ff725c5b9871ae7d3e3c580002a5dd9c823ecadb2c8e4369ac17ba8933d2663857cfc6d41a843bc9a2d98e1a03102258a9745ba

        Download Submit

      • memory/2020-140-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2020-146-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2020-145-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2020-143-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2020-142-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/3432-159-0x0000000000400000-0x0000000000470000-memory.dmp

        Filesize

        448KB

        Download

      • memory/3432-154-0x0000000000400000-0x0000000000470000-memory.dmp

        Filesize

        448KB

        Download

      • memory/4416-155-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/4416-147-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/4416-144-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/4416-135-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download