Analysis
-
max time kernel
182s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
29-01-2023 06:55
General
-
Target
c9c15c614ea8a43be81ad6da31b320a1577f142ee1ec84e498bede89d360bdb3.exe
-
Size
480KB
-
MD5
84730977d3c5921ce72f06569e0303d7
-
SHA1
0136a583df02745bdc1bbef21e6bf395a07a87ab
-
SHA256
c9c15c614ea8a43be81ad6da31b320a1577f142ee1ec84e498bede89d360bdb3
-
SHA512
9f4b3eecb443f0b7b8cfc30dec73a2e04d639406e6c7c945382173d8bd11d12d28bb9e4888469ea0873e8f0c5b43ec0e9f3b6688afb8242dec451a353aa9e368
-
SSDEEP
12288:diJu+2t874tMkvsVSKgMG5PJVSiFCtDM:druNMMG5nSiFCtD
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 5 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9c15c614ea8a43be81ad6da31b320a1577f142ee1ec84e498bede89d360bdb3.exe"C:\Users\Admin\AppData\Local\Temp\c9c15c614ea8a43be81ad6da31b320a1577f142ee1ec84e498bede89d360bdb3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\240649250.exe"C:\Users\Admin\AppData\Local\Temp\240649250.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\240649250.exe"C:\Users\Admin\AppData\Local\Temp\240649250.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\c9c15c614ea8a43be81ad6da31b320a1577f142ee1ec84e498bede89d360bdb3.exe"C:\Users\Admin\AppData\Local\Temp\c9c15c614ea8a43be81ad6da31b320a1577f142ee1ec84e498bede89d360bdb3.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD5c907917088779ac7dd2c35f1255846a0
SHA1eecdc166d70455d180276f3cc592d92fe4659c90
SHA256bcd73949ff5780c5dc60019c1d211bc926009b5fe81b47ee29fd88b05c87e200
SHA5126cde845481acc502ac1a1baa64fc264bf3400b1fdb165971550081a7f8ccba8ee749e4994c3a61348b6048b06540842884078ad0891185897d1155d15090d0e1
-
Filesize
312KB
MD5c907917088779ac7dd2c35f1255846a0
SHA1eecdc166d70455d180276f3cc592d92fe4659c90
SHA256bcd73949ff5780c5dc60019c1d211bc926009b5fe81b47ee29fd88b05c87e200
SHA5126cde845481acc502ac1a1baa64fc264bf3400b1fdb165971550081a7f8ccba8ee749e4994c3a61348b6048b06540842884078ad0891185897d1155d15090d0e1
-
Filesize
312KB
MD5c907917088779ac7dd2c35f1255846a0
SHA1eecdc166d70455d180276f3cc592d92fe4659c90
SHA256bcd73949ff5780c5dc60019c1d211bc926009b5fe81b47ee29fd88b05c87e200
SHA5126cde845481acc502ac1a1baa64fc264bf3400b1fdb165971550081a7f8ccba8ee749e4994c3a61348b6048b06540842884078ad0891185897d1155d15090d0e1
-
Filesize
50B
MD55b63d4dd8c04c88c0e30e494ec6a609a
SHA1884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA2564d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA51215ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
156KB
-
Filesize
156KB