Overview

overview

10

Static

static

9306afa147...9a.exe

windows7-x64

10

9306afa147...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    61s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9306afa147c0363389a99576425ab3ac0fcd73b32f60183f97104c104b896a9a.exe

  • Size

    1.0MB

  • MD5

    749a7b99749d220936b95fb6e4132bd8

  • SHA1

    8e518cc998d1fdf6978a9d283cc3f443fe87c8f0

  • SHA256

    9306afa147c0363389a99576425ab3ac0fcd73b32f60183f97104c104b896a9a

  • SHA512

    75c63302c82e827272266049ac34da50f74e971ad7c48cbe53e580317c8af099c03ebe5911ee4255366823e29365d4db433d8ca458244330c14588c0073cfdc2

  • SSDEEP

    24576:wfna/BVJI9Z+9zlmSzFpIS+1ASkw1okKIY2AyWuBAhE9QdB1d:wfuduKzlmSzFWS+10w1I3yWY3QL/

Score
10/10
isrstealercollectionevasionstealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 10 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • Nirsoft 4 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9306afa147c0363389a99576425ab3ac0fcd73b32f60183f97104c104b896a9a.exe
    "C:\Users\Admin\AppData\Local\Temp\9306afa147c0363389a99576425ab3ac0fcd73b32f60183f97104c104b896a9a.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\EPmfcM.exe GthbXZ
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Users\Admin\AppData\Local\Temp\EPmfcM.exe
        C:\Users\Admin\AppData\Local\Temp\EPmfcM.exe GthbXZ
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\System32\svchost.exe"
          4⤵
          • UAC bypass
          • Windows security bypass
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:988
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /delete /tn WindowsUpdategthbxz0x8429524
            5⤵
              PID:1716
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn WindowsUpdategthbxz0x8429525 /tr "C:\ProgramData\gthbxz\Project1.exe" /RL HIGHEST
              5⤵
              • Creates scheduled task(s)
              PID:1468
            • C:\Windows\SysWOW64\svchost.exe
              "C:\Windows\SysWOW64\svchost.exe"
              5⤵
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1652
              • C:\Windows\SysWOW64\svchost.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\vVImRz1Mdu.ini"
                6⤵
                  PID:556
                • C:\Windows\SysWOW64\svchost.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\htbUxgvqHp.ini"
                  6⤵
                  • Accesses Microsoft Outlook accounts
                  PID:1964
              • C:\Windows\SysWOW64\svchost.exe
                "C:\Windows\SysWOW64\svchost.exe"
                5⤵
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1664
                • C:\Windows\SysWOW64\svchost.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\tkAQiY8YWr.ini"
                  6⤵
                    PID:436
                  • C:\Windows\SysWOW64\svchost.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\nK9L1hCzva.ini"
                    6⤵
                    • Accesses Microsoft Outlook accounts
                    PID:240
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {CF8EDE50-004F-4084-91C3-3E89CE344FD4} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
          1⤵
            PID:1324

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\EPmfcM.exe
            Filesize

            510KB

            MD5

            01d151ccd2a75bd713b8ce81d6509eb8

            SHA1

            c751680d504bece45dc84e363e9e976fe77a8eac

            SHA256

            a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

            SHA512

            8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\EPmfcM.exe
            Filesize

            510KB

            MD5

            01d151ccd2a75bd713b8ce81d6509eb8

            SHA1

            c751680d504bece45dc84e363e9e976fe77a8eac

            SHA256

            a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

            SHA512

            8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\GthbXZ
            Filesize

            10KB

            MD5

            85dbd40256d09f3a5fd5fd7cbdf8db19

            SHA1

            3d5d0f17184725fde2d71ded94d4803b1aa89820

            SHA256

            0c0107fc5e33e565e7f809cbd8594fa32f3af60a9d653dea8dc0e5683b29bcc2

            SHA512

            0d525c604b52204ddb863106108fba43086b6a37c822a4683f71d7eaedff277af589aeb84cfc3fe1f05f54ef715d9758ce8ed52b6fa1b10e26074f8904e5657a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tbZHJv.txt
            Filesize

            1.3MB

            MD5

            c97f91a4e75191206ba81d08b3ff2e26

            SHA1

            19c8a3a61a2577145d48f27caed911903bfe8704

            SHA256

            9564205a71241b9bd94c4d94d48f211fd09d85e82defeafc19f4b56824e50040

            SHA512

            01d761bd1c4a8430b86b029ea52cd42eab67cfbd0511c0da251bc8291c7c567360cab45c4188d3012a3fd897b9fb4a19d09a6aad01c42b422f0589594266738d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tkAQiY8YWr.ini
            Filesize

            5B

            MD5

            d1ea279fb5559c020a1b4137dc4de237

            SHA1

            db6f8988af46b56216a6f0daf95ab8c9bdb57400

            SHA256

            fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

            SHA512

            720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\vVImRz1Mdu.ini
            Filesize

            5B

            MD5

            d1ea279fb5559c020a1b4137dc4de237

            SHA1

            db6f8988af46b56216a6f0daf95ab8c9bdb57400

            SHA256

            fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

            SHA512

            720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

            Download Submit

          • \Users\Admin\AppData\Local\Temp\EPmfcM.exe
            Filesize

            510KB

            MD5

            01d151ccd2a75bd713b8ce81d6509eb8

            SHA1

            c751680d504bece45dc84e363e9e976fe77a8eac

            SHA256

            a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

            SHA512

            8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

            Download Submit

          • memory/240-136-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/240-137-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/240-138-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/436-115-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/556-90-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/556-117-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/556-97-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/556-95-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/556-94-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/988-69-0x0000000000400000-0x00000000004A1000-memory.dmp

            Filesize

            644KB

            Download

          • memory/988-66-0x0000000000400000-0x00000000004A1000-memory.dmp

            Filesize

            644KB

            Download

          • memory/988-122-0x0000000000400000-0x00000000004A1000-memory.dmp

            Filesize

            644KB

            Download

          • memory/988-64-0x0000000000400000-0x00000000004A1000-memory.dmp

            Filesize

            644KB

            Download

          • memory/988-63-0x0000000000400000-0x00000000004A1000-memory.dmp

            Filesize

            644KB

            Download

          • memory/988-75-0x0000000000400000-0x00000000004A1000-memory.dmp

            Filesize

            644KB

            Download

          • memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1652-79-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1652-139-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1652-96-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1652-80-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1652-123-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1652-82-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1652-84-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1664-124-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1664-116-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1664-140-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1964-129-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1964-130-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1964-131-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1964-125-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download