isrstealer | 37780af54219c5c55bbd96da6b64a5bceeb10d99b01cecd7dc7dfb6406af2206

Analysis

max time kernel
165s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2023 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1387974feffde780d5e3c69e33631a72.exe
Size

888KB
MD5

1387974feffde780d5e3c69e33631a72
SHA1

1d55315676b0db7ccf7822e89ab556987f88dc25
SHA256

37780af54219c5c55bbd96da6b64a5bceeb10d99b01cecd7dc7dfb6406af2206
SHA512

bd0fa09a5722d5d1c82525ce949dd37fd6e237e89cd8760e665d9aca7e50f4edf876538b46eac5056b92ee1d4751c2fa0fbc1e4eeb1e539bbe419905701ba837
SSDEEP

12288:amhY9HGbus7YjeLIcSdThuQsx9I9UF8KRNQ9HalPYKi6NFttCM37/d3/IyH:amhGSSc5sus9Ux0HalLiuFFTGw

Score

10^/10

isrstealer collection persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/2972-18-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2972-23-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 18 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/564-39-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/564-40-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/564-41-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4992-62-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4992-63-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4140-84-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4140-85-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1092-99-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1092-100-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3696-114-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3268-136-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3268-137-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3356-175-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3356-176-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4520-190-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1156-211-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1156-212-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/944-233-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 18 IoCs

resource	yara_rule
behavioral2/memory/564-39-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/564-40-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/564-41-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4992-62-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4992-63-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4140-84-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4140-85-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1092-99-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1092-100-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3696-114-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3268-136-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3268-137-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3356-175-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3356-176-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4520-190-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1156-211-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1156-212-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/944-233-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Blocklisted process makes network request 8 IoCs

flow	pid	Process
45	2972	wscript.exe
47	4840	wscript.exe
50	4188	wscript.exe
57	2880	wscript.exe
58	3276	wscript.exe
59	3684	wscript.exe
64	972	wscript.exe
65	3952	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBEhbTXcZiMgJbgb.cmd.lnk	TCLQadWEDaffNMPdQHccF.cmd

Executes dropped EXE 1 IoCs

pid	Process
2288	TCLQadWEDaffNMPdQHccF.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/260-27-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/260-29-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/260-31-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/260-30-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/260-34-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/564-36-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/564-38-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/564-39-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/564-40-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/564-41-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1172-55-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4992-62-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4992-63-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4368-76-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4368-78-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4140-84-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4140-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1092-99-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1092-100-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3696-114-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4956-127-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4956-129-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3268-136-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3268-137-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4444-150-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4444-152-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2784-167-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2784-169-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3356-175-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3356-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4520-190-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4580-203-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4580-205-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1156-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1156-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4976-225-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4976-227-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/944-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 10 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1387974feffde780d5e3c69e33631a72.exe

Suspicious use of SetThreadContext 33 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 2972	2288	TCLQadWEDaffNMPdQHccF.cmd	93
PID 2972 set thread context of 260	2972	wscript.exe	94
PID 2972 set thread context of 564	2972	wscript.exe	95
PID 2288 set thread context of 4840	2288	TCLQadWEDaffNMPdQHccF.cmd	99
PID 4840 set thread context of 1172	4840	wscript.exe	100
PID 4840 set thread context of 4992	4840	wscript.exe	101
PID 2288 set thread context of 4188	2288	TCLQadWEDaffNMPdQHccF.cmd	102
PID 4188 set thread context of 4368	4188	wscript.exe	103
PID 4188 set thread context of 4140	4188	wscript.exe	104
PID 2288 set thread context of 4920	2288	TCLQadWEDaffNMPdQHccF.cmd	105
PID 4920 set thread context of 2396	4920	wscript.exe	106
PID 4920 set thread context of 1092	4920	wscript.exe	109
PID 2288 set thread context of 1884	2288	TCLQadWEDaffNMPdQHccF.cmd	111
PID 1884 set thread context of 1816	1884	wscript.exe	112
PID 1884 set thread context of 3696	1884	wscript.exe	115
PID 2288 set thread context of 2880	2288	TCLQadWEDaffNMPdQHccF.cmd	117
PID 2880 set thread context of 4956	2880	wscript.exe	118
PID 2880 set thread context of 3268	2880	wscript.exe	119
PID 2288 set thread context of 3276	2288	TCLQadWEDaffNMPdQHccF.cmd	120
PID 3276 set thread context of 4444	3276	wscript.exe	121
PID 3276 set thread context of 5044	3276	wscript.exe	122
PID 2288 set thread context of 3684	2288	TCLQadWEDaffNMPdQHccF.cmd	125
PID 3684 set thread context of 2784	3684	wscript.exe	126
PID 3684 set thread context of 3356	3684	wscript.exe	127
PID 2288 set thread context of 3968	2288	TCLQadWEDaffNMPdQHccF.cmd	128
PID 3968 set thread context of 4468	3968	wscript.exe	129
PID 3968 set thread context of 4520	3968	wscript.exe	132
PID 2288 set thread context of 972	2288	TCLQadWEDaffNMPdQHccF.cmd	135
PID 972 set thread context of 4580	972	wscript.exe	136
PID 972 set thread context of 1156	972	wscript.exe	137
PID 2288 set thread context of 3952	2288	TCLQadWEDaffNMPdQHccF.cmd	138
PID 3952 set thread context of 4976	3952	wscript.exe	139
PID 3952 set thread context of 944	3952	wscript.exe	140

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1780	2396	WerFault.exe	106
4200	1816	WerFault.exe	112
4748	5044	WerFault.exe	122
3164	4468	WerFault.exe	129

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd
2288	TCLQadWEDaffNMPdQHccF.cmd

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2972	wscript.exe
4840	wscript.exe
4188	wscript.exe
4920	wscript.exe
1884	wscript.exe
2880	wscript.exe
3276	wscript.exe
3684	wscript.exe
3968	wscript.exe
972	wscript.exe
3952	wscript.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 2288	3084	1387974feffde780d5e3c69e33631a72.exe	92
PID 3084 wrote to memory of 2288	3084	1387974feffde780d5e3c69e33631a72.exe	92
PID 3084 wrote to memory of 2288	3084	1387974feffde780d5e3c69e33631a72.exe	92
PID 2288 wrote to memory of 2972	2288	TCLQadWEDaffNMPdQHccF.cmd	93
PID 2288 wrote to memory of 2972	2288	TCLQadWEDaffNMPdQHccF.cmd	93
PID 2288 wrote to memory of 2972	2288	TCLQadWEDaffNMPdQHccF.cmd	93
PID 2288 wrote to memory of 2972	2288	TCLQadWEDaffNMPdQHccF.cmd	93
PID 2288 wrote to memory of 2972	2288	TCLQadWEDaffNMPdQHccF.cmd	93
PID 2972 wrote to memory of 260	2972	wscript.exe	94
PID 2972 wrote to memory of 260	2972	wscript.exe	94
PID 2972 wrote to memory of 260	2972	wscript.exe	94
PID 2972 wrote to memory of 260	2972	wscript.exe	94
PID 2972 wrote to memory of 260	2972	wscript.exe	94
PID 2972 wrote to memory of 260	2972	wscript.exe	94
PID 2972 wrote to memory of 260	2972	wscript.exe	94
PID 2972 wrote to memory of 260	2972	wscript.exe	94
PID 2972 wrote to memory of 564	2972	wscript.exe	95
PID 2972 wrote to memory of 564	2972	wscript.exe	95
PID 2972 wrote to memory of 564	2972	wscript.exe	95
PID 2972 wrote to memory of 564	2972	wscript.exe	95
PID 2972 wrote to memory of 564	2972	wscript.exe	95
PID 2972 wrote to memory of 564	2972	wscript.exe	95
PID 2972 wrote to memory of 564	2972	wscript.exe	95
PID 2972 wrote to memory of 564	2972	wscript.exe	95
PID 2288 wrote to memory of 4840	2288	TCLQadWEDaffNMPdQHccF.cmd	99
PID 2288 wrote to memory of 4840	2288	TCLQadWEDaffNMPdQHccF.cmd	99
PID 2288 wrote to memory of 4840	2288	TCLQadWEDaffNMPdQHccF.cmd	99
PID 2288 wrote to memory of 4840	2288	TCLQadWEDaffNMPdQHccF.cmd	99
PID 2288 wrote to memory of 4840	2288	TCLQadWEDaffNMPdQHccF.cmd	99
PID 4840 wrote to memory of 1172	4840	wscript.exe	100
PID 4840 wrote to memory of 1172	4840	wscript.exe	100
PID 4840 wrote to memory of 1172	4840	wscript.exe	100
PID 4840 wrote to memory of 1172	4840	wscript.exe	100
PID 4840 wrote to memory of 1172	4840	wscript.exe	100
PID 4840 wrote to memory of 1172	4840	wscript.exe	100
PID 4840 wrote to memory of 1172	4840	wscript.exe	100
PID 4840 wrote to memory of 1172	4840	wscript.exe	100
PID 4840 wrote to memory of 4992	4840	wscript.exe	101
PID 4840 wrote to memory of 4992	4840	wscript.exe	101
PID 4840 wrote to memory of 4992	4840	wscript.exe	101
PID 4840 wrote to memory of 4992	4840	wscript.exe	101
PID 4840 wrote to memory of 4992	4840	wscript.exe	101
PID 4840 wrote to memory of 4992	4840	wscript.exe	101
PID 4840 wrote to memory of 4992	4840	wscript.exe	101
PID 4840 wrote to memory of 4992	4840	wscript.exe	101
PID 2288 wrote to memory of 4188	2288	TCLQadWEDaffNMPdQHccF.cmd	102
PID 2288 wrote to memory of 4188	2288	TCLQadWEDaffNMPdQHccF.cmd	102
PID 2288 wrote to memory of 4188	2288	TCLQadWEDaffNMPdQHccF.cmd	102
PID 2288 wrote to memory of 4188	2288	TCLQadWEDaffNMPdQHccF.cmd	102
PID 2288 wrote to memory of 4188	2288	TCLQadWEDaffNMPdQHccF.cmd	102
PID 4188 wrote to memory of 4368	4188	wscript.exe	103
PID 4188 wrote to memory of 4368	4188	wscript.exe	103
PID 4188 wrote to memory of 4368	4188	wscript.exe	103
PID 4188 wrote to memory of 4368	4188	wscript.exe	103
PID 4188 wrote to memory of 4368	4188	wscript.exe	103
PID 4188 wrote to memory of 4368	4188	wscript.exe	103
PID 4188 wrote to memory of 4368	4188	wscript.exe	103
PID 4188 wrote to memory of 4368	4188	wscript.exe	103
PID 4188 wrote to memory of 4140	4188	wscript.exe	104
PID 4188 wrote to memory of 4140	4188	wscript.exe	104
PID 4188 wrote to memory of 4140	4188	wscript.exe	104
PID 4188 wrote to memory of 4140	4188	wscript.exe	104
PID 4188 wrote to memory of 4140	4188	wscript.exe	104
PID 4188 wrote to memory of 4140	4188	wscript.exe	104

C:\Users\Admin\AppData\Local\Temp\1387974feffde780d5e3c69e33631a72.exe
"C:\Users\Admin\AppData\Local\Temp\1387974feffde780d5e3c69e33631a72.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TCLQadWEDaffNMPdQHccF.cmd
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TCLQadWEDaffNMPdQHccF.cmd TCLQadWEDaffNMPdQHc
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\7DDqr3qhCU.ini"
      4⤵
      PID:260
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\zOw1phudbk.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:564
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\wHWPdFoKo9.ini"
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\plC8rS36Zi.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:4992
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\bM3WCq1eyG.ini"
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\nMvRSBLk9T.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:4140
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:4920
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\UJPoHi7CpI.ini"
      4⤵
      PID:2396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 80
        5⤵
        Program crash
        
        PID:1780
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ao9uWXdmIL.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1092
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    PID:780
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:1884
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\toovybaLd4.ini"
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 80
        5⤵
        Program crash
        
        PID:4200
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\k0VChxWho0.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:3696
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:2880
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\hbrbRd9jEy.ini"
      4⤵
      PID:4956
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Wv88NNubrX.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:3268
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:3276
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Ah4UIaoH5t.ini"
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\CmuqD0ckcg.ini"
      4⤵
      PID:5044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 80
        5⤵
        Program crash
        
        PID:4748
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:3684
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\0gbMCMzFha.ini"
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\M4dpluGkpJ.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:3356
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:3968
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\0ZEcudw1ON.ini"
      4⤵
      PID:4468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 84
        5⤵
        Program crash
        
        PID:3164
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\07SLCZFlpL.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:4520
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:972
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\blcUKOdwci.ini"
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\JF4fm6rJyR.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1156
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:3952
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\H8Nj2sHnlB.ini"
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\wscript.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\3EUFYDAUFI.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2396 -ip 2396
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1816 -ip 1816
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5044 -ip 5044
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4468 -ip 4468
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7DDqr3qhCU.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BBEhbTXcZiMg

Filesize
260KB

MD5
784fb4a1162b8c1ea8b2ae4c5b80e356

SHA1
860941a5a1ce509c31ed3e4561fc1bb48c5628ed

SHA256
0c490f54cb51321f6706078741cc2f1ed523d2ecb7087871af49f8590c400215

SHA512
fb6741f5fed8f541b89e06404a4a36ae767a43dd24eee2d17fdea5826c86e3c3c18e6eac78491567726fb3161f87e6deeebe3d7e3cc90ece54a939c5562fa368

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TCLQadWEDaffNMPdQHc

Filesize
35KB

MD5
6b17e99abcccfdfbe08b3f34c859128c

SHA1
4dbe41106e9a685656e3d8695b3d259a8704def0

SHA256
7fe55a00110b72bdf0c17140882c8d1eac50ddd1b6919382ec7096d8b1444f2c

SHA512
2bc05b68c034af079ead7593aef7002d450f58d025eb3a2c6a8ea3049d8ac9f39c24131e92889de6532e9c97074336455085724a2a90071adbad83c6bb88d8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TCLQadWEDaffNMPdQHccF.cmd

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
memory/260-30-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/260-34-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/260-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/260-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/260-31-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/564-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/564-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/564-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/564-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/564-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1092-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1092-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1156-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1156-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1172-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1816-109-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download
memory/2288-56-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/2288-17-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/2784-167-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2784-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2972-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3268-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3268-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3356-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3356-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3696-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4140-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4140-84-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4368-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-76-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4444-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4444-150-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4520-190-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4580-203-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4580-205-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4956-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4956-127-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4976-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4976-227-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4992-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4992-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download