isrstealer | 1ea24c494567b22d017f86556288372e708d7cfacd45472aa45568bd5102b271

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-12-2023 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a99b1e48221b678c4da6621cc645bf0f.exe
Size

697KB
MD5

a99b1e48221b678c4da6621cc645bf0f
SHA1

abbf4d11dc1ea12cdb96a13ac3fb9c7978dc078b
SHA256

1ea24c494567b22d017f86556288372e708d7cfacd45472aa45568bd5102b271
SHA512

ac15d68dfdc70224c698bd5515c60425d4ea202853e9504382ce950e31fa89213d132bac8cca8eec60d298ba20c6fdfb458b72450185a1b5d1e5f1fe9a0d86aa
SSDEEP

12288:tirqB1AG3coGYUoQdqqJ6/uxOuMve/VOPhfFDwYl2vzcBtMmcRpaBtDnegA+G9bp:IM1AGcoktdqX/u/kPNF9lkHmWaBtn2bp

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2968-59-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral1/memory/2968-66-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral1/memory/2968-63-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral1/memory/2968-253-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/676-156-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/676-259-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2668-110-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

resource	yara_rule
behavioral1/memory/2668-110-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral1/memory/676-156-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1592-155-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral1/memory/1592-160-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral1/memory/676-259-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 8 IoCs

pid	Process
2692	Keygen.exe
2804	xxxxxx.exe
1388	xxxxxx.exe
2968	xxxxxx.exe
1712	xxxxxx.exe
2668	xxxxxx.exe
1592	xxxxxx.exe
676	xxxxxx.exe

Loads dropped DLL 32 IoCs

pid	Process
2996	a99b1e48221b678c4da6621cc645bf0f.exe
2692	Keygen.exe
2692	Keygen.exe
2996	a99b1e48221b678c4da6621cc645bf0f.exe
2996	a99b1e48221b678c4da6621cc645bf0f.exe
2804	xxxxxx.exe
2804	xxxxxx.exe
2804	xxxxxx.exe
2804	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
2804	xxxxxx.exe
2968	xxxxxx.exe
2968	xxxxxx.exe
2968	xxxxxx.exe
2968	xxxxxx.exe
1712	xxxxxx.exe
1712	xxxxxx.exe
1712	xxxxxx.exe
1712	xxxxxx.exe
1712	xxxxxx.exe
2668	xxxxxx.exe
2668	xxxxxx.exe
2668	xxxxxx.exe
1712	xxxxxx.exe
1592	xxxxxx.exe
1592	xxxxxx.exe
1592	xxxxxx.exe
676	xxxxxx.exe
676	xxxxxx.exe
676	xxxxxx.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1388-35-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1388-33-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1388-39-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1388-42-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1388-48-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1388-51-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1388-50-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1592-127-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/676-137-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/676-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1592-155-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1388-154-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1592-160-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1388-166-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/676-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	xxxxxx.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 1388	2804	xxxxxx.exe	32
PID 2804 set thread context of 2968	2804	xxxxxx.exe	34
PID 2968 set thread context of 1712	2968	xxxxxx.exe	36
PID 1712 set thread context of 2668	1712	xxxxxx.exe	37
PID 1712 set thread context of 1592	1712	xxxxxx.exe	38
PID 1712 set thread context of 676	1712	xxxxxx.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2664	ipconfig.exe
2952	ipconfig.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	xxxxxx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	xxxxxx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	xxxxxx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	xxxxxx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	xxxxxx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	xxxxxx.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
2968	xxxxxx.exe
2968	xxxxxx.exe
2968	xxxxxx.exe
2968	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe
1388	xxxxxx.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	xxxxxx.exe
Token: SeRestorePrivilege	2968	xxxxxx.exe
Token: SeBackupPrivilege	2968	xxxxxx.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2804	xxxxxx.exe
1388	xxxxxx.exe
2968	xxxxxx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2692	2996	a99b1e48221b678c4da6621cc645bf0f.exe	28
PID 2996 wrote to memory of 2692	2996	a99b1e48221b678c4da6621cc645bf0f.exe	28
PID 2996 wrote to memory of 2692	2996	a99b1e48221b678c4da6621cc645bf0f.exe	28
PID 2996 wrote to memory of 2692	2996	a99b1e48221b678c4da6621cc645bf0f.exe	28
PID 2996 wrote to memory of 2692	2996	a99b1e48221b678c4da6621cc645bf0f.exe	28
PID 2996 wrote to memory of 2692	2996	a99b1e48221b678c4da6621cc645bf0f.exe	28
PID 2996 wrote to memory of 2692	2996	a99b1e48221b678c4da6621cc645bf0f.exe	28
PID 2996 wrote to memory of 2804	2996	a99b1e48221b678c4da6621cc645bf0f.exe	29
PID 2996 wrote to memory of 2804	2996	a99b1e48221b678c4da6621cc645bf0f.exe	29
PID 2996 wrote to memory of 2804	2996	a99b1e48221b678c4da6621cc645bf0f.exe	29
PID 2996 wrote to memory of 2804	2996	a99b1e48221b678c4da6621cc645bf0f.exe	29
PID 2996 wrote to memory of 2804	2996	a99b1e48221b678c4da6621cc645bf0f.exe	29
PID 2996 wrote to memory of 2804	2996	a99b1e48221b678c4da6621cc645bf0f.exe	29
PID 2996 wrote to memory of 2804	2996	a99b1e48221b678c4da6621cc645bf0f.exe	29
PID 2804 wrote to memory of 2664	2804	xxxxxx.exe	30
PID 2804 wrote to memory of 2664	2804	xxxxxx.exe	30
PID 2804 wrote to memory of 2664	2804	xxxxxx.exe	30
PID 2804 wrote to memory of 2664	2804	xxxxxx.exe	30
PID 2804 wrote to memory of 2664	2804	xxxxxx.exe	30
PID 2804 wrote to memory of 2664	2804	xxxxxx.exe	30
PID 2804 wrote to memory of 2664	2804	xxxxxx.exe	30
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 2804 wrote to memory of 1388	2804	xxxxxx.exe	32
PID 1388 wrote to memory of 2952	1388	xxxxxx.exe	33
PID 1388 wrote to memory of 2952	1388	xxxxxx.exe	33
PID 1388 wrote to memory of 2952	1388	xxxxxx.exe	33
PID 1388 wrote to memory of 2952	1388	xxxxxx.exe	33
PID 1388 wrote to memory of 2952	1388	xxxxxx.exe	33
PID 1388 wrote to memory of 2952	1388	xxxxxx.exe	33
PID 1388 wrote to memory of 2952	1388	xxxxxx.exe	33
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2804 wrote to memory of 2968	2804	xxxxxx.exe	34
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36
PID 2968 wrote to memory of 1712	2968	xxxxxx.exe	36

C:\Users\Admin\AppData\Local\Temp\a99b1e48221b678c4da6621cc645bf0f.exe
"C:\Users\Admin\AppData\Local\Temp\a99b1e48221b678c4da6621cc645bf0f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /release
    3⤵
    - Gathers network information
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:2952
- - C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe
      "C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook accounts
        
        PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba4817a7d4535e15eff29532061425a0

SHA1
754de91a7568cd6deae38ed4c63b174ab3c6f98a

SHA256
06b94fc4bb87f1ac9b848748d38b79f348821415b6421e035dac259047b0d1ed

SHA512
0ccd3555aa488728c93533d4bae91f06afc7a64a99a3a140f84e55c0cd0e2f527a22b4cd7b224e0d699c9d856879ccb3f1cd733f91782764c56a69f49f475a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC1CB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keygen.exe

Filesize
22KB

MD5
ac23304617efaf6ec4a266392840081d

SHA1
21c7dc4216fdecc7a455dc3177dfcc04919d8816

SHA256
01698271ac944c79831d272fbf26a4cc1ffdf51ca11ccc56dfe44ed16a31235f

SHA512
2de8b09ce33b2531d3892b6f9033b7e55871a36954b3cbca3ad527502570cc2ab1b5954f01fe01fb3f84c64aabfda1c0d4706210cb11ecb22e42ee7490094fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC289.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\Keygen.exe

Filesize
8KB

MD5
59bf68e01dc88ac3b64fe52f70bb9a51

SHA1
2f45a8b09f1461b911752aac1f9ad36f697b22ef

SHA256
9a2f8609d08ac426b3b8600477f3c1d4a86725467493cd8b1085947047dc05bd

SHA512
df9dfbec380d30fd2cc1603e33fbe665b272007af735eb44d5fd1d2b7d418e7028e85ab5084070797e8c6048a9c8d678944673f735b3b195e408c4685bfdeb45

Download Submit
\Users\Admin\AppData\Local\Temp\Keygen.exe

Filesize
217KB

MD5
df5a77b4574b4034aa7bb632d80bcf98

SHA1
18b02e09b573806a4c14919755aea053a48846a7

SHA256
5734ec906648d40a255b5e22e77fea99f1bb2cc237dc506549a5259e9f0da08c

SHA512
4833e80cc50349ec37af8f408841687db4ce5b66fe185b12d7c564f5f45799bea6a35adbf655d2630436be246a6bb7a91dd2cf50c552848b24895b7dfa21506a

Download Submit
\Users\Admin\AppData\Local\Temp\xxxxxx.exe

Filesize
548KB

MD5
4d6bc1d7974c06161e1ed65c7f0a20a8

SHA1
1a98ef9a70d39f916a81e0e8c9cf95c8c145744b

SHA256
024140fb411c120a4f7bdab9a46959b60da178910106bd0d73196a479243947c

SHA512
c2d1b78364de65346e64e0fd0bed87c4ab110de1e03705b68489503f5069053a647d478c7b0c5217cc8f9f40fe39deceb2c809a714a92ffc8c741d273799e5ee

Download Submit
\Users\Admin\AppData\Local\Temp\xxxxxx.exe

Filesize
92KB

MD5
10a6908f282d02ce81278b76a9c183eb

SHA1
054eead40d89a9294961facd8e5ce0daff963ae9

SHA256
9f8ea3a111f936d5a4d7d0b444f28673a1177f07dcec3773e17a9e083145afa4

SHA512
fb0338a51419562aa30665a45f6a0e34bf0eccc25d144c66b2ba7a49d6f70d6de6d1baba9635372b38780cf90281cc0c15ec7d25c9c43d4d1b4a68c921254045

Download Submit
\Users\Admin\AppData\Local\Temp\xxxxxx.exe

Filesize
223KB

MD5
7226de31f6ee762d2d28e9b2da7a72fd

SHA1
0992c49aeb509340dc70745515cfae0775033a88

SHA256
ccc039d7dbb2b0f3c4a8a4a9d8f77aa6f6e20bd8bdfff5fa0609e8008293a4b1

SHA512
cc7c020e344634c554848d5955f0e248f8d6233b4fc28bcc9088734ca22918a4688c3cfa898dc69d4eb3c5e2299d08896cefa5f9a61964e8306241de9156de1b

Download Submit
memory/676-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/676-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/676-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1388-42-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1388-39-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1388-166-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1388-48-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1388-51-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1388-50-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1388-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1388-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1388-154-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1388-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1388-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1592-113-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1592-155-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1592-160-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1592-127-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1712-139-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-79-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-85-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-73-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-75-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-77-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-103-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-101-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-99-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-97-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-92-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-91-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-89-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-83-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-81-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-104-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2668-110-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2668-106-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2692-28-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2692-277-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2692-13-0x0000000000240000-0x000000000029A000-memory.dmp

Filesize
360KB

Download
memory/2692-14-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2692-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2692-43-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2804-29-0x0000000002E80000-0x000000000393A000-memory.dmp

Filesize
10.7MB

Download
memory/2968-66-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2968-55-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2968-59-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2968-253-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2968-57-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2968-63-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2996-5-0x0000000002690000-0x00000000026EA000-memory.dmp

Filesize
360KB

Download