Analysis
-
max time kernel
85s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 04:55
Static task
static1
Behavioral task
behavioral1
Sample
c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe
Resource
win10v2004-20221111-en
General
-
Target
c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe
-
Size
1.1MB
-
MD5
b6e5ba759e4214e47e9b643c6db3869e
-
SHA1
1cfa3edb8d3da4ec40f9aebe6a6d110032da6640
-
SHA256
c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e
-
SHA512
0e1b7b04aa8493417a01acbca28c090b5e6d2ec83864ac11f1a9583b5321a078a469c5c12a54475766ed67695c33a86da71795ea5afbe2d3e9ce924d6ad4d1d5
-
SSDEEP
12288:VfVr/5D5Jy/ei02wu+OHW7/Bpk+EJJt/ZAyNIQACAFFDfCCDL3WM8iJO05k4NKO5:RV5Hy/phw/98m/fpv3WM8i9v
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 6 IoCs
resource yara_rule behavioral1/memory/1492-64-0x00000000004011F8-mapping.dmp family_isrstealer behavioral1/memory/1492-63-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer behavioral1/memory/1492-61-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer behavioral1/memory/1492-75-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer behavioral1/memory/1492-120-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer behavioral1/memory/1492-124-0x0000000000400000-0x0000000000470000-memory.dmp family_isrstealer -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/960-115-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/960-117-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/960-122-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1316-89-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral1/memory/1316-90-0x000000000043F420-mapping.dmp WebBrowserPassView behavioral1/memory/1316-112-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral1/memory/1316-118-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral1/memory/1316-121-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral1/memory/1316-123-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
resource yara_rule behavioral1/memory/1316-89-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral1/memory/1316-90-0x000000000043F420-mapping.dmp Nirsoft behavioral1/memory/1316-112-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral1/memory/1344-114-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/960-115-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1344-116-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/960-117-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1316-118-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral1/memory/1316-121-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral1/memory/960-122-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1316-123-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft -
Executes dropped EXE 5 IoCs
pid Process 1492 Service.exe 868 Service.exe 1316 Service.exe 1344 Service.exe 960 Service.exe -
resource yara_rule behavioral1/memory/1344-96-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/960-103-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1344-114-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1344-111-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/960-115-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/960-113-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1344-116-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/960-117-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/960-122-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe 1492 Service.exe 868 Service.exe 868 Service.exe 868 Service.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Service.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1552 set thread context of 1492 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe 28 PID 1492 set thread context of 868 1492 Service.exe 29 PID 868 set thread context of 1316 868 Service.exe 30 PID 868 set thread context of 1344 868 Service.exe 31 PID 868 set thread context of 960 868 Service.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe Token: SeDebugPrivilege 1344 Service.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1492 Service.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1552 wrote to memory of 1492 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe 28 PID 1552 wrote to memory of 1492 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe 28 PID 1552 wrote to memory of 1492 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe 28 PID 1552 wrote to memory of 1492 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe 28 PID 1552 wrote to memory of 1492 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe 28 PID 1552 wrote to memory of 1492 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe 28 PID 1552 wrote to memory of 1492 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe 28 PID 1552 wrote to memory of 1492 1552 c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe 28 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 1492 wrote to memory of 868 1492 Service.exe 29 PID 868 wrote to memory of 1316 868 Service.exe 30 PID 868 wrote to memory of 1316 868 Service.exe 30 PID 868 wrote to memory of 1316 868 Service.exe 30 PID 868 wrote to memory of 1316 868 Service.exe 30 PID 868 wrote to memory of 1316 868 Service.exe 30 PID 868 wrote to memory of 1316 868 Service.exe 30 PID 868 wrote to memory of 1344 868 Service.exe 31 PID 868 wrote to memory of 1344 868 Service.exe 31 PID 868 wrote to memory of 1344 868 Service.exe 31 PID 868 wrote to memory of 1344 868 Service.exe 31 PID 868 wrote to memory of 1344 868 Service.exe 31 PID 868 wrote to memory of 1344 868 Service.exe 31 PID 868 wrote to memory of 960 868 Service.exe 32 PID 868 wrote to memory of 960 868 Service.exe 32 PID 868 wrote to memory of 960 868 Service.exe 32 PID 868 wrote to memory of 960 868 Service.exe 32 PID 868 wrote to memory of 960 868 Service.exe 32 PID 868 wrote to memory of 960 868 Service.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe"C:\Users\Admin\AppData\Local\Temp\c1cd4599831b74bdbcdfd714440d72f582b1915e333702bee41e82e49ef15d9e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exeC:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe"C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe"C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵
- Executes dropped EXE
PID:1316
-
-
C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe"C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe"C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:960
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98