Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe
Resource
win10v2004-20240802-en
General
-
Target
20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe
-
Size
768KB
-
MD5
709f31cce8fb596fb211ecb532ac3320
-
SHA1
0b4fd56473ade74d74d3831fe4674188a0623971
-
SHA256
20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590
-
SHA512
65fef446f3bbb1b1047f2537021977573eeb6d854a753e6c479035880022eef6164ad42535239acf4145411d533f5692d37e939bec7eaeea25a92beadbbae436
-
SSDEEP
6144:mgxilHZyojpSVOfkNvR/XwSFXHw5sKxGhjuZxerwfJcWVPwt+Verd1cIJYvvB:2lYkCRv5FX8sKxGhyyk6TcIJYvvB
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/744-47-0x0000000000150000-0x0000000000192000-memory.dmp family_isrstealer behavioral1/memory/744-48-0x0000000000150000-0x0000000000192000-memory.dmp family_isrstealer -
Executes dropped EXE 2 IoCs
pid Process 2392 app.exe 744 app.exe -
Loads dropped DLL 1 IoCs
pid Process 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2392 set thread context of 744 2392 app.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe 2392 app.exe 2392 app.exe 2392 app.exe 2392 app.exe 2392 app.exe 2392 app.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe Token: SeDebugPrivilege 2392 app.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2392 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe 30 PID 2280 wrote to memory of 2392 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe 30 PID 2280 wrote to memory of 2392 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe 30 PID 2280 wrote to memory of 2392 2280 20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe 30 PID 2392 wrote to memory of 744 2392 app.exe 31 PID 2392 wrote to memory of 744 2392 app.exe 31 PID 2392 wrote to memory of 744 2392 app.exe 31 PID 2392 wrote to memory of 744 2392 app.exe 31 PID 2392 wrote to memory of 744 2392 app.exe 31 PID 2392 wrote to memory of 744 2392 app.exe 31 PID 2392 wrote to memory of 744 2392 app.exe 31 PID 2392 wrote to memory of 744 2392 app.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe"C:\Users\Admin\AppData\Local\Temp\20183e553792ae6197e8c687be18a66f742c03f7a4f056104352c01b43832590N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"3⤵
- Executes dropped EXE
PID:744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53e44acdb6ecc946fdbf2a9dab6b59f1e
SHA1081ac0eef63542a0ce2cfd1cd88d74cd07cd31c4
SHA2569ca6995d5d6d0cc0e17f9f522894b9a8b428bebcb7bf947270094c9cae02d3ea
SHA5121abc35e1e021fa5f16db7494424767a0e84864d1691474a69aa6540bc71d94f0a22bb59d447b651fe592c1ba0481e1b4c5c57db29526d433f066d6d40bc4f2d6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
773KB
MD5c872d3a5959bdb496b02c593429ebf6b
SHA14e10f4060f0b18bea7a2ff36320b4327b570086e
SHA256d823d110171c8f487e289802aaeb0a646f5d62c97fec91a276b2392abae75e9c
SHA512563afbad87ef10fd11f0ab8cf9a5baaeabb5777f41a88edd29bfa9368d172777c71834eb04e8e2c4e92f42f895796c190c13a74083ad4e3830863700843f0eb6