Overview

overview

10

Static

static

7b5f23eeaa...64.exe

windows7-x64

10

7b5f23eeaa...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 06:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b5f23eeaa859056b764e21e1749980f40ab2a2237d4b7feb6c9f2574ad81364.exe

  • Size

    2.6MB

  • MD5

    b2894f2cbe96e7354f45c92dbc81a6b2

  • SHA1

    c11da9d91173628a9557e9a7950f6b1504afd8db

  • SHA256

    7b5f23eeaa859056b764e21e1749980f40ab2a2237d4b7feb6c9f2574ad81364

  • SHA512

    d44011b7f32b06f1d702c9270b106642a7b5c25fd15764cafb14f2dcf2ba6e1909b2b873bede3d9dee627843fa2733e18042f7e267dc5fa7a27835b87ed3fdf4

  • SSDEEP

    24576:YHYxbvHwDr6Y/Hicgp/lUBXHYxbvHwDr6Y/Hicgp/lUBhshRdrEAbm4z:Y4xcD/6h0BX4xcD/6h0BhydYAm4z

Score
10/10
isrstealercollectionspywarestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 7 IoCs
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • Nirsoft 3 IoCs
  • Executes dropped EXE 8 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b5f23eeaa859056b764e21e1749980f40ab2a2237d4b7feb6c9f2574ad81364.exe
    "C:\Users\Admin\AppData\Local\Temp\7b5f23eeaa859056b764e21e1749980f40ab2a2237d4b7feb6c9f2574ad81364.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Local\Temp\sermini.exe
      "C:\Users\Admin\AppData\Local\Temp\sermini.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Users\Admin\AppData\Roaming\Server.exe
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4624
        • C:\Users\Admin\AppData\Roaming\Server.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\Y8ozUsE2mz.ini"
          4⤵
          • Executes dropped EXE
          PID:1268
        • C:\Users\Admin\AppData\Roaming\Server.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\MteDDdqiqb.ini"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          PID:3492
    • C:\Users\Admin\AppData\Local\Temp\sermini.exe
      "C:\Users\Admin\AppData\Local\Temp\sermini.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Users\Admin\AppData\Roaming\Server.exe
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1008
        • C:\Users\Admin\AppData\Roaming\Server.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\nhDT0NcIkt.ini"
          4⤵
          • Executes dropped EXE
          PID:4756
        • C:\Users\Admin\AppData\Roaming\Server.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\MteDDdqiqb.ini"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          PID:5080

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    97acf0930ce9f2f69d40ed8e1178cec6

    SHA1

    6380a2d97e4b4ccc3b4598cc2d431702e54ed69c

    SHA256

    b38f02de41dbb7db433a5f440dff85432150ff71d53b7ef8792d96da80962343

    SHA512

    f49c8a4fa51127e7d8b71cd0257bbedc8855ea708ec0e313e5071b656aedb815b55e51619df24ed967c4df0e685a4940cc1f123aa4ee0198a3d1ada1b42480e1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    c51850a96d359a09a3a3a2249c52a92d

    SHA1

    4a4606bc3ebee0d4cf4a0f028d931945490d2665

    SHA256

    d66175ec867bee8f450f2f3ad05d9d161384241244e6d5cf791a608dd31ef175

    SHA512

    832204ccb7f74e8fd1e5f3ae2485227d94f4c5ae025695369e8affacb49307b3f2a20bac69a52d9835338bc84271cd3d1c7675f7f6a7f7a25e6f85141027dff6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C6872375A2E1BC120603F5605C3CEC71
    Filesize

    472B

    MD5

    c5da9c31f5e2c79be8782b8c161e7250

    SHA1

    9a676006861051c42234a10d4549ede6af89ba92

    SHA256

    1a0a09163ffb30f5a6a2d4e2be5cdc15d1117bd5f9db1408680c5533cc4cd187

    SHA512

    0c07e319bcb40f3807e0a8fa2f4c455f64d1e1c606638c4faf11db7d89c717cfec2707a843ea8bcca1b7c3f62a4c7eb0c699b9cf9ea4d460fe3ed7eb4aaa7839

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    94b4e9608d37fd3c5b405cf8882c6d3d

    SHA1

    850e951d9ce81ea4ab20b5d77f973f9812b5a1be

    SHA256

    9cc8ada22f43270a69fd669a0ff86058444dabf2e73a7e0f024d612dae3e8bea

    SHA512

    55af2cf71ed8555ec5fe0952cbbea7a0d7c472d1c604b64e8a8f74b8ad8eaac9abd749fcd5355622aee70c9c66ec947ce719c5c857f74e1f2433d0ebadbbd6ff

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    94b4e9608d37fd3c5b405cf8882c6d3d

    SHA1

    850e951d9ce81ea4ab20b5d77f973f9812b5a1be

    SHA256

    9cc8ada22f43270a69fd669a0ff86058444dabf2e73a7e0f024d612dae3e8bea

    SHA512

    55af2cf71ed8555ec5fe0952cbbea7a0d7c472d1c604b64e8a8f74b8ad8eaac9abd749fcd5355622aee70c9c66ec947ce719c5c857f74e1f2433d0ebadbbd6ff

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    94b4e9608d37fd3c5b405cf8882c6d3d

    SHA1

    850e951d9ce81ea4ab20b5d77f973f9812b5a1be

    SHA256

    9cc8ada22f43270a69fd669a0ff86058444dabf2e73a7e0f024d612dae3e8bea

    SHA512

    55af2cf71ed8555ec5fe0952cbbea7a0d7c472d1c604b64e8a8f74b8ad8eaac9abd749fcd5355622aee70c9c66ec947ce719c5c857f74e1f2433d0ebadbbd6ff

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    255ddf6aec9cfdf1084a9388b515fc3c

    SHA1

    b460d95cd7f8a21808ebf9b4013e64a1c08f7721

    SHA256

    4ec0d83570fe1c91bae92c53534002f7a8c1948f41243b65c89e849e58c8086c

    SHA512

    6385117f32bd220338c4f802cc3a04a178bd3346138744e9a110deb9cf29d041dc5528633971b02be277cd9c4645a340ed091ee6941a3443aa7af47fc1859a31

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    6e95095f3e55c03979b2e7bc9c1043df

    SHA1

    80592d5f3fcc35379cf05be7399ca0876e77d9ef

    SHA256

    c4dca4a3e29faeb809d23ba5de518f387511d28e5ef11d208c6a969af45aaed1

    SHA512

    488b8991041e05f4862e1fd47ab2bbef2022e160b95960c8e0ed4e0ae9f43db373a3eeb6bf6e3dba7fc09811cdafe3a061edc723e7f0db9f92c2a0610d843321

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    6e95095f3e55c03979b2e7bc9c1043df

    SHA1

    80592d5f3fcc35379cf05be7399ca0876e77d9ef

    SHA256

    c4dca4a3e29faeb809d23ba5de518f387511d28e5ef11d208c6a969af45aaed1

    SHA512

    488b8991041e05f4862e1fd47ab2bbef2022e160b95960c8e0ed4e0ae9f43db373a3eeb6bf6e3dba7fc09811cdafe3a061edc723e7f0db9f92c2a0610d843321

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6872375A2E1BC120603F5605C3CEC71
    Filesize

    484B

    MD5

    9ab300d2a632b828b353919d9540567a

    SHA1

    e2530b89da6e179f592f85d0d972202030815ecb

    SHA256

    a79c5784fda13d5fdfe915e678f88d60eb9a66cf15bb9847824453437a4a56a2

    SHA512

    1264f6b6bed7b238cc737ed158a7f034f63806c0c6db501cef84f2a5d5543e5a4f08c98ca94094458a361a669c9f047858ddcfff4db59d613aa8c33e810f847f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Y8ozUsE2mz.ini
    Filesize

    5B

    MD5

    d1ea279fb5559c020a1b4137dc4de237

    SHA1

    db6f8988af46b56216a6f0daf95ab8c9bdb57400

    SHA256

    fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

    SHA512

    720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nhDT0NcIkt.ini
    Filesize

    5B

    MD5

    d1ea279fb5559c020a1b4137dc4de237

    SHA1

    db6f8988af46b56216a6f0daf95ab8c9bdb57400

    SHA256

    fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

    SHA512

    720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sermini.exe
    Filesize

    1.2MB

    MD5

    45d775dc475cd0fe65d96e57beb58acd

    SHA1

    93491ac5bb503a1022e2004e0b5ff0434f9bcea1

    SHA256

    7797c2591a0051b65422b5919ecf9764b0e8f601cea40fe1afa21985d8216a0e

    SHA512

    3394c1e0612c3514afd711c0ddb8098b61c54494177d8df757e0cb6b2ff12ed058151d16bfc3d6913d9624b268e64114f914d4003db99f69357f5696e26cb621

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sermini.exe
    Filesize

    1.2MB

    MD5

    45d775dc475cd0fe65d96e57beb58acd

    SHA1

    93491ac5bb503a1022e2004e0b5ff0434f9bcea1

    SHA256

    7797c2591a0051b65422b5919ecf9764b0e8f601cea40fe1afa21985d8216a0e

    SHA512

    3394c1e0612c3514afd711c0ddb8098b61c54494177d8df757e0cb6b2ff12ed058151d16bfc3d6913d9624b268e64114f914d4003db99f69357f5696e26cb621

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sermini.exe
    Filesize

    1.2MB

    MD5

    45d775dc475cd0fe65d96e57beb58acd

    SHA1

    93491ac5bb503a1022e2004e0b5ff0434f9bcea1

    SHA256

    7797c2591a0051b65422b5919ecf9764b0e8f601cea40fe1afa21985d8216a0e

    SHA512

    3394c1e0612c3514afd711c0ddb8098b61c54494177d8df757e0cb6b2ff12ed058151d16bfc3d6913d9624b268e64114f914d4003db99f69357f5696e26cb621

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.exe
    Filesize

    260KB

    MD5

    339e91d3f17423499c0f387b45c8b460

    SHA1

    7bc91865d6a1477d2a7461d2e9347e77e17107ed

    SHA256

    03ec9e4d5f402f7d7397652e68530ca6a390c0c396a8677e2b3416af66bcf526

    SHA512

    2cd0fea98d45f85e8358c51bc49b78bf9fe448231c0ac9c56bf4accb2a0ea8f21e8434065b082125972e95b48c931acc2938ddaac7f0b5f151623536bd44066b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.exe
    Filesize

    260KB

    MD5

    339e91d3f17423499c0f387b45c8b460

    SHA1

    7bc91865d6a1477d2a7461d2e9347e77e17107ed

    SHA256

    03ec9e4d5f402f7d7397652e68530ca6a390c0c396a8677e2b3416af66bcf526

    SHA512

    2cd0fea98d45f85e8358c51bc49b78bf9fe448231c0ac9c56bf4accb2a0ea8f21e8434065b082125972e95b48c931acc2938ddaac7f0b5f151623536bd44066b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.exe
    Filesize

    260KB

    MD5

    339e91d3f17423499c0f387b45c8b460

    SHA1

    7bc91865d6a1477d2a7461d2e9347e77e17107ed

    SHA256

    03ec9e4d5f402f7d7397652e68530ca6a390c0c396a8677e2b3416af66bcf526

    SHA512

    2cd0fea98d45f85e8358c51bc49b78bf9fe448231c0ac9c56bf4accb2a0ea8f21e8434065b082125972e95b48c931acc2938ddaac7f0b5f151623536bd44066b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.exe
    Filesize

    260KB

    MD5

    339e91d3f17423499c0f387b45c8b460

    SHA1

    7bc91865d6a1477d2a7461d2e9347e77e17107ed

    SHA256

    03ec9e4d5f402f7d7397652e68530ca6a390c0c396a8677e2b3416af66bcf526

    SHA512

    2cd0fea98d45f85e8358c51bc49b78bf9fe448231c0ac9c56bf4accb2a0ea8f21e8434065b082125972e95b48c931acc2938ddaac7f0b5f151623536bd44066b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.exe
    Filesize

    260KB

    MD5

    339e91d3f17423499c0f387b45c8b460

    SHA1

    7bc91865d6a1477d2a7461d2e9347e77e17107ed

    SHA256

    03ec9e4d5f402f7d7397652e68530ca6a390c0c396a8677e2b3416af66bcf526

    SHA512

    2cd0fea98d45f85e8358c51bc49b78bf9fe448231c0ac9c56bf4accb2a0ea8f21e8434065b082125972e95b48c931acc2938ddaac7f0b5f151623536bd44066b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.exe
    Filesize

    260KB

    MD5

    339e91d3f17423499c0f387b45c8b460

    SHA1

    7bc91865d6a1477d2a7461d2e9347e77e17107ed

    SHA256

    03ec9e4d5f402f7d7397652e68530ca6a390c0c396a8677e2b3416af66bcf526

    SHA512

    2cd0fea98d45f85e8358c51bc49b78bf9fe448231c0ac9c56bf4accb2a0ea8f21e8434065b082125972e95b48c931acc2938ddaac7f0b5f151623536bd44066b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.exe
    Filesize

    260KB

    MD5

    339e91d3f17423499c0f387b45c8b460

    SHA1

    7bc91865d6a1477d2a7461d2e9347e77e17107ed

    SHA256

    03ec9e4d5f402f7d7397652e68530ca6a390c0c396a8677e2b3416af66bcf526

    SHA512

    2cd0fea98d45f85e8358c51bc49b78bf9fe448231c0ac9c56bf4accb2a0ea8f21e8434065b082125972e95b48c931acc2938ddaac7f0b5f151623536bd44066b

    Download Submit

  • memory/376-143-0x000000001B870000-0x000000001C2A6000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/1268-164-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1268-166-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1268-151-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1312-144-0x000000001B890000-0x000000001C2C6000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3492-193-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3492-190-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4756-162-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4756-167-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/4984-137-0x0000000005040000-0x0000000005096000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4984-135-0x0000000004E60000-0x0000000004EF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4984-134-0x0000000005410000-0x00000000059B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4984-133-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4984-136-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4984-132-0x00000000000F0000-0x000000000038C000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/5080-182-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5080-188-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5080-192-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download