isrstealer | 37780af54219c5c55bbd96da6b64a5bceeb10d99b01cecd7dc7dfb6406af2206

Analysis

max time kernel
220s
max time network
241s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-12-2023 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1387974feffde780d5e3c69e33631a72.exe
Size

888KB
MD5

1387974feffde780d5e3c69e33631a72
SHA1

1d55315676b0db7ccf7822e89ab556987f88dc25
SHA256

37780af54219c5c55bbd96da6b64a5bceeb10d99b01cecd7dc7dfb6406af2206
SHA512

bd0fa09a5722d5d1c82525ce949dd37fd6e237e89cd8760e665d9aca7e50f4edf876538b46eac5056b92ee1d4751c2fa0fbc1e4eeb1e539bbe419905701ba837
SSDEEP

12288:amhY9HGbus7YjeLIcSdThuQsx9I9UF8KRNQ9HalPYKi6NFttCM37/d3/IyH:amhGSSc5sus9Ux0HalLiuFFTGw

Score

10^/10

isrstealer collection persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/1992-21-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 10 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1340-44-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1340-45-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/832-68-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2216-92-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2216-93-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2960-116-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2848-151-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1624-161-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2848-182-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1484-188-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 10 IoCs

resource	yara_rule
behavioral1/memory/1340-44-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1340-45-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/832-68-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2216-92-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2216-93-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2960-116-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2848-151-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1624-161-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2848-182-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1484-188-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	1992	wscript.exe
7	2184	wscript.exe
9	1328	wscript.exe
11	1512	wscript.exe
13	2644	wscript.exe
15	796	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBEhbTXcZiMgJbgb.cmd.lnk	TCLQadWEDaffNMPdQHccF.cmd

Executes dropped EXE 1 IoCs

pid	Process
1624	TCLQadWEDaffNMPdQHccF.cmd

Loads dropped DLL 1 IoCs

pid	Process
2596	1387974feffde780d5e3c69e33631a72.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2528-30-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2528-32-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2528-36-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2528-38-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1340-40-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1340-42-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1340-44-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1340-45-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2072-60-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2072-62-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/832-68-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1196-82-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1196-85-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2216-92-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2216-93-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2896-110-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2960-116-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2144-145-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2848-151-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1808-181-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2848-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1484-188-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1387974feffde780d5e3c69e33631a72.exe

Suspicious use of SetThreadContext 27 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 1992	1624	TCLQadWEDaffNMPdQHccF.cmd	30
PID 1992 set thread context of 2528	1992	wscript.exe	31
PID 1992 set thread context of 1340	1992	wscript.exe	33
PID 1624 set thread context of 2184	1624	TCLQadWEDaffNMPdQHccF.cmd	35
PID 2184 set thread context of 2072	2184	wscript.exe	36
PID 2184 set thread context of 832	2184	wscript.exe	38
PID 1624 set thread context of 1328	1624	TCLQadWEDaffNMPdQHccF.cmd	39
PID 1328 set thread context of 1196	1328	wscript.exe	40
PID 1328 set thread context of 2216	1328	wscript.exe	41
PID 1624 set thread context of 1512	1624	TCLQadWEDaffNMPdQHccF.cmd	44
PID 1512 set thread context of 2896	1512	wscript.exe	46
PID 1512 set thread context of 2960	1512	wscript.exe	47
PID 1624 set thread context of 1284	1624	TCLQadWEDaffNMPdQHccF.cmd	50
PID 1284 set thread context of 3012	1284	wscript.exe	51
PID 1284 set thread context of 1600	1284	wscript.exe	52
PID 1624 set thread context of 2644	1624	TCLQadWEDaffNMPdQHccF.cmd	53
PID 2644 set thread context of 2144	2644	wscript.exe	54
PID 2644 set thread context of 2848	2644	wscript.exe	55
PID 1624 set thread context of 1916	1624	TCLQadWEDaffNMPdQHccF.cmd	58
PID 1916 set thread context of 2520	1916	wscript.exe	59
PID 1916 set thread context of 2988	1916	wscript.exe	60
PID 1624 set thread context of 796	1624	TCLQadWEDaffNMPdQHccF.cmd	61
PID 796 set thread context of 1808	796	wscript.exe	62
PID 796 set thread context of 1484	796	wscript.exe	63
PID 1624 set thread context of 2020	1624	TCLQadWEDaffNMPdQHccF.cmd	66
PID 2020 set thread context of 636	2020	wscript.exe	67
PID 2020 set thread context of 1780	2020	wscript.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd
1624	TCLQadWEDaffNMPdQHccF.cmd

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1992	wscript.exe
2184	wscript.exe
1328	wscript.exe
1512	wscript.exe
1284	wscript.exe
2644	wscript.exe
1916	wscript.exe
796	wscript.exe
2020	wscript.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1624	2596	1387974feffde780d5e3c69e33631a72.exe	29
PID 2596 wrote to memory of 1624	2596	1387974feffde780d5e3c69e33631a72.exe	29
PID 2596 wrote to memory of 1624	2596	1387974feffde780d5e3c69e33631a72.exe	29
PID 2596 wrote to memory of 1624	2596	1387974feffde780d5e3c69e33631a72.exe	29
PID 1624 wrote to memory of 1992	1624	TCLQadWEDaffNMPdQHccF.cmd	30
PID 1624 wrote to memory of 1992	1624	TCLQadWEDaffNMPdQHccF.cmd	30
PID 1624 wrote to memory of 1992	1624	TCLQadWEDaffNMPdQHccF.cmd	30
PID 1624 wrote to memory of 1992	1624	TCLQadWEDaffNMPdQHccF.cmd	30
PID 1624 wrote to memory of 1992	1624	TCLQadWEDaffNMPdQHccF.cmd	30
PID 1624 wrote to memory of 1992	1624	TCLQadWEDaffNMPdQHccF.cmd	30
PID 1992 wrote to memory of 2528	1992	wscript.exe	31
PID 1992 wrote to memory of 2528	1992	wscript.exe	31
PID 1992 wrote to memory of 2528	1992	wscript.exe	31
PID 1992 wrote to memory of 2528	1992	wscript.exe	31
PID 1992 wrote to memory of 2528	1992	wscript.exe	31
PID 1992 wrote to memory of 2528	1992	wscript.exe	31
PID 1992 wrote to memory of 2528	1992	wscript.exe	31
PID 1992 wrote to memory of 2528	1992	wscript.exe	31
PID 1992 wrote to memory of 2528	1992	wscript.exe	31
PID 1992 wrote to memory of 1340	1992	wscript.exe	33
PID 1992 wrote to memory of 1340	1992	wscript.exe	33
PID 1992 wrote to memory of 1340	1992	wscript.exe	33
PID 1992 wrote to memory of 1340	1992	wscript.exe	33
PID 1992 wrote to memory of 1340	1992	wscript.exe	33
PID 1992 wrote to memory of 1340	1992	wscript.exe	33
PID 1992 wrote to memory of 1340	1992	wscript.exe	33
PID 1992 wrote to memory of 1340	1992	wscript.exe	33
PID 1992 wrote to memory of 1340	1992	wscript.exe	33
PID 1624 wrote to memory of 2184	1624	TCLQadWEDaffNMPdQHccF.cmd	35
PID 1624 wrote to memory of 2184	1624	TCLQadWEDaffNMPdQHccF.cmd	35
PID 1624 wrote to memory of 2184	1624	TCLQadWEDaffNMPdQHccF.cmd	35
PID 1624 wrote to memory of 2184	1624	TCLQadWEDaffNMPdQHccF.cmd	35
PID 1624 wrote to memory of 2184	1624	TCLQadWEDaffNMPdQHccF.cmd	35
PID 1624 wrote to memory of 2184	1624	TCLQadWEDaffNMPdQHccF.cmd	35
PID 2184 wrote to memory of 2072	2184	wscript.exe	36
PID 2184 wrote to memory of 2072	2184	wscript.exe	36
PID 2184 wrote to memory of 2072	2184	wscript.exe	36
PID 2184 wrote to memory of 2072	2184	wscript.exe	36
PID 2184 wrote to memory of 2072	2184	wscript.exe	36
PID 2184 wrote to memory of 2072	2184	wscript.exe	36
PID 2184 wrote to memory of 2072	2184	wscript.exe	36
PID 2184 wrote to memory of 2072	2184	wscript.exe	36
PID 2184 wrote to memory of 2072	2184	wscript.exe	36
PID 2184 wrote to memory of 832	2184	wscript.exe	38
PID 2184 wrote to memory of 832	2184	wscript.exe	38
PID 2184 wrote to memory of 832	2184	wscript.exe	38
PID 2184 wrote to memory of 832	2184	wscript.exe	38
PID 2184 wrote to memory of 832	2184	wscript.exe	38
PID 2184 wrote to memory of 832	2184	wscript.exe	38
PID 2184 wrote to memory of 832	2184	wscript.exe	38
PID 2184 wrote to memory of 832	2184	wscript.exe	38
PID 2184 wrote to memory of 832	2184	wscript.exe	38
PID 1624 wrote to memory of 1328	1624	TCLQadWEDaffNMPdQHccF.cmd	39
PID 1624 wrote to memory of 1328	1624	TCLQadWEDaffNMPdQHccF.cmd	39
PID 1624 wrote to memory of 1328	1624	TCLQadWEDaffNMPdQHccF.cmd	39
PID 1624 wrote to memory of 1328	1624	TCLQadWEDaffNMPdQHccF.cmd	39
PID 1624 wrote to memory of 1328	1624	TCLQadWEDaffNMPdQHccF.cmd	39
PID 1624 wrote to memory of 1328	1624	TCLQadWEDaffNMPdQHccF.cmd	39
PID 1328 wrote to memory of 1196	1328	wscript.exe	40
PID 1328 wrote to memory of 1196	1328	wscript.exe	40
PID 1328 wrote to memory of 1196	1328	wscript.exe	40
PID 1328 wrote to memory of 1196	1328	wscript.exe	40
PID 1328 wrote to memory of 1196	1328	wscript.exe	40
PID 1328 wrote to memory of 1196	1328	wscript.exe	40

C:\Users\Admin\AppData\Local\Temp\1387974feffde780d5e3c69e33631a72.exe
"C:\Users\Admin\AppData\Local\Temp\1387974feffde780d5e3c69e33631a72.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TCLQadWEDaffNMPdQHccF.cmd
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TCLQadWEDaffNMPdQHccF.cmd TCLQadWEDaffNMPdQHc
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\g2NZ0bKxFp.ini"
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\HBedg0KPEz.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1340
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Z50H4t0J8P.ini"
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\P57mesNJQh.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:832
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\GIWGWJOAUd.ini"
      4⤵
      PID:1196
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Z3jJ047AYJ.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:2216
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:1512
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\1WPzFLahXS.ini"
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\tvjUwnHcP1.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:2960
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:1284
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\dEWo9Uhqls.ini"
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\fYwZYQzhXc.ini"
      4⤵
      PID:1600
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:2644
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\gCLEOLKHPz.ini"
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\XGvHNzAcUX.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:2848
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:1916
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\CSA4wURFaJ.ini"
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\oQO1m55DXw.ini"
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:796
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ex36b7kpOF.ini"
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\WMPXXrZLU9.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1484
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:2020
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\DbDS8rYCpF.ini"
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\8cMXy8yVxo.ini"
      4⤵
      PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BBEhbTXcZiMg

Filesize
260KB

MD5
784fb4a1162b8c1ea8b2ae4c5b80e356

SHA1
860941a5a1ce509c31ed3e4561fc1bb48c5628ed

SHA256
0c490f54cb51321f6706078741cc2f1ed523d2ecb7087871af49f8590c400215

SHA512
fb6741f5fed8f541b89e06404a4a36ae767a43dd24eee2d17fdea5826c86e3c3c18e6eac78491567726fb3161f87e6deeebe3d7e3cc90ece54a939c5562fa368

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TCLQadWEDaffNMPdQHc

Filesize
35KB

MD5
6b17e99abcccfdfbe08b3f34c859128c

SHA1
4dbe41106e9a685656e3d8695b3d259a8704def0

SHA256
7fe55a00110b72bdf0c17140882c8d1eac50ddd1b6919382ec7096d8b1444f2c

SHA512
2bc05b68c034af079ead7593aef7002d450f58d025eb3a2c6a8ea3049d8ac9f39c24131e92889de6532e9c97074336455085724a2a90071adbad83c6bb88d8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2NZ0bKxFp.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\TCLQadWEDaffNMPdQHccF.cmd

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
memory/832-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-85-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1196-82-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1328-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1340-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1340-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1340-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1340-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-100-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-140-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1624-152-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1624-19-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1808-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1992-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1992-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1992-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2072-62-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2072-60-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2144-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2184-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2216-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2528-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2528-38-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2528-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2528-30-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2848-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2848-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2896-110-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2960-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download