isrstealer | d58398ecd1091925a638caafa666f471712a6cba1431acbe4b480f577054c6f9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
Size

480KB
MD5

07a8a3dfe4e53f65dab43c5077028598
SHA1

9af613fa8b8bc6f995f023b69ff8d3bfe2ae0b30
SHA256

d58398ecd1091925a638caafa666f471712a6cba1431acbe4b480f577054c6f9
SHA512

5131af3fd715e4be7cf4160dd792eee4449405cb8821d8cb1c5be7203ecd94f6087f2acec564de43757f823266ec9ba7e95f2e0751bdeffd513a70c54aaa90cd
SSDEEP

12288:xD6anAVrdVutS3wSgc0JACyb1yUhg2SGDWNw4:dPAdNjiACyb1yUh+Gkx

Score

10^/10

isrstealer collection discovery persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1636-12-0x0000000000400000-0x0000000000477000-memory.dmp	family_isrstealer
behavioral2/files/0x000700000002343b-28.dat	family_isrstealer
behavioral2/memory/1636-73-0x0000000000400000-0x0000000000477000-memory.dmp	family_isrstealer
behavioral2/memory/700-121-0x0000000000400000-0x0000000000477000-memory.dmp	family_isrstealer

Detected Nirsoft tools 14 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/384-48-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/1816-67-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1192-69-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/1816-62-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1192-57-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/1192-54-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/384-52-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/384-56-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/2148-113-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/5072-117-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1648-108-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/1648-106-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/2148-105-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/5072-119-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1816-67-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1816-62-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/5072-117-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/5072-119-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/384-48-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/384-52-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/384-56-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/1648-108-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/1648-106-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F8T5DR2-TT3F-JL70-EMN6-EE777T44A6D6}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F8T5DR2-TT3F-JL70-EMN6-EE777T44A6D6}	svchost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 13 IoCs

pid	Process
3896	svchost.exe
4428	VQBVR.exe
1800	VQBVR.exe
384	VQBVR.exe
1192	VQBVR.exe
1816	VQBVR.exe
700	svchost.exe
4392	svchost.exe
2192	YSDXT.exe
3684	YSDXT.exe
1648	YSDXT.exe
2148	YSDXT.exe
5072	YSDXT.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	YSDXT.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	VQBVR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piplilive = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 4092 set thread context of 1636	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	82
PID 4092 set thread context of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 4428 set thread context of 1800	4428	VQBVR.exe	87
PID 1800 set thread context of 384	1800	VQBVR.exe	88
PID 1800 set thread context of 1192	1800	VQBVR.exe	89
PID 1800 set thread context of 1816	1800	VQBVR.exe	90
PID 3896 set thread context of 700	3896	svchost.exe	95
PID 3896 set thread context of 4392	3896	svchost.exe	96
PID 2192 set thread context of 3684	2192	YSDXT.exe	98
PID 3684 set thread context of 1648	3684	YSDXT.exe	99
PID 3684 set thread context of 2148	3684	YSDXT.exe	100
PID 3684 set thread context of 5072	3684	YSDXT.exe	101

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1636-9-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1636-12-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1636-8-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1816-61-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1816-67-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1192-69-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1636-73-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1816-62-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1816-58-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1192-57-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1192-54-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1192-53-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1192-50-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2148-113-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5072-117-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5072-114-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2148-105-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2148-104-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5072-119-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/700-121-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YSDXT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VQBVR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VQBVR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YSDXT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YSDXT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VQBVR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VQBVR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YSDXT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VQBVR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YSDXT.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4428	VQBVR.exe
4428	VQBVR.exe
4428	VQBVR.exe
4428	VQBVR.exe
4428	VQBVR.exe
4428	VQBVR.exe
4428	VQBVR.exe
4428	VQBVR.exe
1192	VQBVR.exe
1192	VQBVR.exe
2192	YSDXT.exe
2192	YSDXT.exe
2192	YSDXT.exe
2192	YSDXT.exe
2192	YSDXT.exe
2192	YSDXT.exe
2192	YSDXT.exe
2192	YSDXT.exe
2148	YSDXT.exe
2148	YSDXT.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	VQBVR.exe
Token: SeDebugPrivilege	2148	YSDXT.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
1636	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
3896	svchost.exe
4428	VQBVR.exe
700	svchost.exe
2192	YSDXT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1636	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	82
PID 4092 wrote to memory of 1636	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	82
PID 4092 wrote to memory of 1636	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	82
PID 4092 wrote to memory of 1636	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	82
PID 4092 wrote to memory of 1636	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	82
PID 4092 wrote to memory of 1636	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	82
PID 4092 wrote to memory of 1636	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	82
PID 4092 wrote to memory of 1636	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	82
PID 4092 wrote to memory of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 4092 wrote to memory of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 4092 wrote to memory of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 4092 wrote to memory of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 4092 wrote to memory of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 4092 wrote to memory of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 4092 wrote to memory of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 4092 wrote to memory of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 4092 wrote to memory of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 4092 wrote to memory of 4180	4092	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	83
PID 1636 wrote to memory of 4428	1636	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	85
PID 1636 wrote to memory of 4428	1636	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	85
PID 1636 wrote to memory of 4428	1636	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	85
PID 4180 wrote to memory of 3896	4180	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	84
PID 4180 wrote to memory of 3896	4180	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	84
PID 4180 wrote to memory of 3896	4180	07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe	84
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 4428 wrote to memory of 1800	4428	VQBVR.exe	87
PID 1800 wrote to memory of 384	1800	VQBVR.exe	88
PID 1800 wrote to memory of 384	1800	VQBVR.exe	88
PID 1800 wrote to memory of 384	1800	VQBVR.exe	88
PID 1800 wrote to memory of 384	1800	VQBVR.exe	88
PID 1800 wrote to memory of 384	1800	VQBVR.exe	88
PID 1800 wrote to memory of 1192	1800	VQBVR.exe	89
PID 1800 wrote to memory of 1192	1800	VQBVR.exe	89
PID 1800 wrote to memory of 1192	1800	VQBVR.exe	89
PID 1800 wrote to memory of 1192	1800	VQBVR.exe	89
PID 1800 wrote to memory of 1192	1800	VQBVR.exe	89
PID 1800 wrote to memory of 1816	1800	VQBVR.exe	90
PID 1800 wrote to memory of 1816	1800	VQBVR.exe	90
PID 1800 wrote to memory of 1816	1800	VQBVR.exe	90
PID 1800 wrote to memory of 1816	1800	VQBVR.exe	90
PID 1800 wrote to memory of 1816	1800	VQBVR.exe	90
PID 3896 wrote to memory of 700	3896	svchost.exe	95
PID 3896 wrote to memory of 700	3896	svchost.exe	95
PID 3896 wrote to memory of 700	3896	svchost.exe	95
PID 3896 wrote to memory of 700	3896	svchost.exe	95
PID 3896 wrote to memory of 700	3896	svchost.exe	95
PID 3896 wrote to memory of 700	3896	svchost.exe	95
PID 3896 wrote to memory of 700	3896	svchost.exe	95
PID 3896 wrote to memory of 700	3896	svchost.exe	95
PID 3896 wrote to memory of 4392	3896	svchost.exe	96
PID 3896 wrote to memory of 4392	3896	svchost.exe	96
PID 3896 wrote to memory of 4392	3896	svchost.exe	96
PID 3896 wrote to memory of 4392	3896	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\VQBVR.exe
    "C:\Users\Admin\AppData\Local\Temp\VQBVR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\VQBVR.exe
      "C:\Users\Admin\AppData\Local\Temp\VQBVR.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\VQBVR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VQBVR.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:384
    - - C:\Users\Admin\AppData\Local\Temp\VQBVR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VQBVR.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
    - - C:\Users\Admin\AppData\Local\Temp\VQBVR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VQBVR.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1816
- C:\Users\Admin\AppData\Local\Temp\07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07a8a3dfe4e53f65dab43c5077028598_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:700
    - - C:\Users\Admin\AppData\Local\Temp\YSDXT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YSDXT.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2192
      - C:\Users\Admin\AppData\Local\Temp\YSDXT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YSDXT.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\YSDXT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YSDXT.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\YSDXT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YSDXT.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\YSDXT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YSDXT.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
        7⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:5072
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VQBVR.exe

Filesize
444KB

MD5
9d6dda4ff75e5647cb1d43e2c8f7258a

SHA1
e858b4265564dd6e1f7568a9460b46eabf98695d

SHA256
947cf434685721aa5ef17b0f210b11d2419b5731aaf6a3a4b465fd76319c21a3

SHA512
391d9b5980d9142c2d6671ad044c0dfe1bde1b8d4e3722e6e6f335259c6dee3347e290458b0bab4719ec384bb220d4ffed284cc45d165022c0cf21ccbed6caa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.dmp

Filesize
54B

MD5
c10dbeca73f8835240e08e4511284b83

SHA1
0032f8f941cc07768189ca6ba32b1beede6b6917

SHA256
0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e

SHA512
34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
480KB

MD5
07a8a3dfe4e53f65dab43c5077028598

SHA1
9af613fa8b8bc6f995f023b69ff8d3bfe2ae0b30

SHA256
d58398ecd1091925a638caafa666f471712a6cba1431acbe4b480f577054c6f9

SHA512
5131af3fd715e4be7cf4160dd792eee4449405cb8821d8cb1c5be7203ecd94f6087f2acec564de43757f823266ec9ba7e95f2e0751bdeffd513a70c54aaa90cd

Download Submit
memory/384-48-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/384-56-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/384-52-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/700-121-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1192-53-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1192-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1192-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1192-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1192-50-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1636-9-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1636-8-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1636-12-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1636-73-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1648-108-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1648-106-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1800-59-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1800-47-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1800-45-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1816-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2148-113-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2148-105-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2148-104-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3684-112-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4092-3-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/4092-5-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/4092-4-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/4092-2-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4180-36-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4180-11-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4180-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4392-123-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5072-117-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5072-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5072-119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download