isrstealer | cbf4704f11c6d4a57c374d2333f76eacef1d8ed7929a1af1f43ed4e5eaabf958

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe
Size

1.5MB
MD5

216ca65ab4e45f62e1feb9ec72cadaf0
SHA1

4c15261de134999b8ddc318886057fb4ea7517e6
SHA256

cbf4704f11c6d4a57c374d2333f76eacef1d8ed7929a1af1f43ed4e5eaabf958
SHA512

62dfea4e8b38802c9163fddc92904fcfaad70a05310433ec55c6e4d69d014a086f981756d415aeaa9540b399b00b82cc19db096cf563e8045fb986e38fe1694f
SSDEEP

24576:NKoFi8yx1uJVsxu/XvcAcb5UPWbApAQCVZPkTfvAGBQDQYr2bs:NKiiPx1oVsUfcVFU+bApqVebHBQsYC

Score

10^/10

isrstealer collection discovery persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1148-28-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1148-30-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1148-39-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1148-40-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4960-38-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1956-56-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4960-38-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1956-56-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Executes dropped EXE 2 IoCs

pid	Process
2900	RHPIBA~1.EXE
4528	WhTX.exe

Accesses Microsoft Outlook accounts 1 TTPs 12 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000023c8a-3.dat	autoit_exe

Suspicious use of SetThreadContext 44 IoCs

description	pid	Process	procid_target
PID 4528 set thread context of 1148	4528	WhTX.exe	88
PID 1148 set thread context of 2792	1148	RegSvcs.exe	89
PID 1148 set thread context of 4960	1148	RegSvcs.exe	94
PID 4528 set thread context of 3324	4528	WhTX.exe	96
PID 3324 set thread context of 728	3324	RegSvcs.exe	97
PID 3324 set thread context of 1956	3324	RegSvcs.exe	99
PID 4528 set thread context of 4512	4528	WhTX.exe	100
PID 4512 set thread context of 3148	4512	RegSvcs.exe	101
PID 4512 set thread context of 4112	4512	RegSvcs.exe	103
PID 4528 set thread context of 2768	4528	WhTX.exe	108
PID 2768 set thread context of 1996	2768	RegSvcs.exe	109
PID 2768 set thread context of 1044	2768	RegSvcs.exe	112
PID 4528 set thread context of 856	4528	WhTX.exe	113
PID 856 set thread context of 4640	856	RegSvcs.exe	114
PID 856 set thread context of 3968	856	RegSvcs.exe	116
PID 4528 set thread context of 3216	4528	WhTX.exe	117
PID 3216 set thread context of 4848	3216	RegSvcs.exe	118
PID 3216 set thread context of 2944	3216	RegSvcs.exe	121
PID 4528 set thread context of 1060	4528	WhTX.exe	123
PID 1060 set thread context of 3956	1060	RegSvcs.exe	124
PID 1060 set thread context of 3240	1060	RegSvcs.exe	126
PID 4528 set thread context of 116	4528	WhTX.exe	127
PID 116 set thread context of 3920	116	RegSvcs.exe	128
PID 116 set thread context of 3296	116	RegSvcs.exe	130
PID 4528 set thread context of 1336	4528	WhTX.exe	133
PID 1336 set thread context of 3452	1336	RegSvcs.exe	134
PID 1336 set thread context of 4412	1336	RegSvcs.exe	136
PID 4528 set thread context of 2528	4528	WhTX.exe	137
PID 2528 set thread context of 3924	2528	RegSvcs.exe	138
PID 2528 set thread context of 1636	2528	RegSvcs.exe	141
PID 4528 set thread context of 1704	4528	WhTX.exe	142
PID 1704 set thread context of 1560	1704	RegSvcs.exe	143
PID 1704 set thread context of 4864	1704	RegSvcs.exe	145
PID 4528 set thread context of 1220	4528	WhTX.exe	148
PID 1220 set thread context of 4292	1220	RegSvcs.exe	149
PID 1220 set thread context of 3632	1220	RegSvcs.exe	151
PID 4528 set thread context of 1380	4528	WhTX.exe	152
PID 1380 set thread context of 2036	1380	RegSvcs.exe	153
PID 1380 set thread context of 4988	1380	RegSvcs.exe	156
PID 4528 set thread context of 2656	4528	WhTX.exe	159
PID 2656 set thread context of 2292	2656	RegSvcs.exe	160
PID 2656 set thread context of 4052	2656	RegSvcs.exe	163
PID 4528 set thread context of 5080	4528	WhTX.exe	164
PID 5080 set thread context of 4012	5080	RegSvcs.exe	165

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4960-34-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4960-35-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4960-37-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4960-38-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/728-45-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/728-46-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/728-48-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/728-49-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1956-53-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1956-55-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1956-56-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3656	2792	WerFault.exe	89
212	4848	WerFault.exe	118
4928	3296	WerFault.exe	130
892	3924	WerFault.exe	138
1164	2036	WerFault.exe	153
2892	4988	WerFault.exe	156
2944	2292	WerFault.exe	160
4724	4012	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RHPIBA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WhTX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	RHPIBA~1.EXE
2900	RHPIBA~1.EXE
2900	RHPIBA~1.EXE
2900	RHPIBA~1.EXE
2900	RHPIBA~1.EXE
2900	RHPIBA~1.EXE
2900	RHPIBA~1.EXE
2900	RHPIBA~1.EXE
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe
4528	WhTX.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1148	RegSvcs.exe
3324	RegSvcs.exe
4512	RegSvcs.exe
2768	RegSvcs.exe
856	RegSvcs.exe
3216	RegSvcs.exe
1060	RegSvcs.exe
116	RegSvcs.exe
1336	RegSvcs.exe
2528	RegSvcs.exe
1704	RegSvcs.exe
1220	RegSvcs.exe
1380	RegSvcs.exe
2656	RegSvcs.exe
5080	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2900	2624	216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe	84
PID 2624 wrote to memory of 2900	2624	216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe	84
PID 2624 wrote to memory of 2900	2624	216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe	84
PID 2900 wrote to memory of 4528	2900	RHPIBA~1.EXE	87
PID 2900 wrote to memory of 4528	2900	RHPIBA~1.EXE	87
PID 2900 wrote to memory of 4528	2900	RHPIBA~1.EXE	87
PID 4528 wrote to memory of 1148	4528	WhTX.exe	88
PID 4528 wrote to memory of 1148	4528	WhTX.exe	88
PID 4528 wrote to memory of 1148	4528	WhTX.exe	88
PID 4528 wrote to memory of 1148	4528	WhTX.exe	88
PID 4528 wrote to memory of 1148	4528	WhTX.exe	88
PID 1148 wrote to memory of 2792	1148	RegSvcs.exe	89
PID 1148 wrote to memory of 2792	1148	RegSvcs.exe	89
PID 1148 wrote to memory of 2792	1148	RegSvcs.exe	89
PID 1148 wrote to memory of 2792	1148	RegSvcs.exe	89
PID 1148 wrote to memory of 2792	1148	RegSvcs.exe	89
PID 1148 wrote to memory of 2792	1148	RegSvcs.exe	89
PID 1148 wrote to memory of 2792	1148	RegSvcs.exe	89
PID 1148 wrote to memory of 2792	1148	RegSvcs.exe	89
PID 1148 wrote to memory of 4960	1148	RegSvcs.exe	94
PID 1148 wrote to memory of 4960	1148	RegSvcs.exe	94
PID 1148 wrote to memory of 4960	1148	RegSvcs.exe	94
PID 1148 wrote to memory of 4960	1148	RegSvcs.exe	94
PID 1148 wrote to memory of 4960	1148	RegSvcs.exe	94
PID 1148 wrote to memory of 4960	1148	RegSvcs.exe	94
PID 1148 wrote to memory of 4960	1148	RegSvcs.exe	94
PID 1148 wrote to memory of 4960	1148	RegSvcs.exe	94
PID 4528 wrote to memory of 3324	4528	WhTX.exe	96
PID 4528 wrote to memory of 3324	4528	WhTX.exe	96
PID 4528 wrote to memory of 3324	4528	WhTX.exe	96
PID 4528 wrote to memory of 3324	4528	WhTX.exe	96
PID 4528 wrote to memory of 3324	4528	WhTX.exe	96
PID 3324 wrote to memory of 728	3324	RegSvcs.exe	97
PID 3324 wrote to memory of 728	3324	RegSvcs.exe	97
PID 3324 wrote to memory of 728	3324	RegSvcs.exe	97
PID 3324 wrote to memory of 728	3324	RegSvcs.exe	97
PID 3324 wrote to memory of 728	3324	RegSvcs.exe	97
PID 3324 wrote to memory of 728	3324	RegSvcs.exe	97
PID 3324 wrote to memory of 728	3324	RegSvcs.exe	97
PID 3324 wrote to memory of 728	3324	RegSvcs.exe	97
PID 3324 wrote to memory of 1956	3324	RegSvcs.exe	99
PID 3324 wrote to memory of 1956	3324	RegSvcs.exe	99
PID 3324 wrote to memory of 1956	3324	RegSvcs.exe	99
PID 3324 wrote to memory of 1956	3324	RegSvcs.exe	99
PID 3324 wrote to memory of 1956	3324	RegSvcs.exe	99
PID 3324 wrote to memory of 1956	3324	RegSvcs.exe	99
PID 3324 wrote to memory of 1956	3324	RegSvcs.exe	99
PID 3324 wrote to memory of 1956	3324	RegSvcs.exe	99
PID 4528 wrote to memory of 4512	4528	WhTX.exe	100
PID 4528 wrote to memory of 4512	4528	WhTX.exe	100
PID 4528 wrote to memory of 4512	4528	WhTX.exe	100
PID 4528 wrote to memory of 4512	4528	WhTX.exe	100
PID 4528 wrote to memory of 4512	4528	WhTX.exe	100
PID 4512 wrote to memory of 3148	4512	RegSvcs.exe	101
PID 4512 wrote to memory of 3148	4512	RegSvcs.exe	101
PID 4512 wrote to memory of 3148	4512	RegSvcs.exe	101
PID 4512 wrote to memory of 3148	4512	RegSvcs.exe	101
PID 4512 wrote to memory of 3148	4512	RegSvcs.exe	101
PID 4512 wrote to memory of 3148	4512	RegSvcs.exe	101
PID 4512 wrote to memory of 3148	4512	RegSvcs.exe	101
PID 4512 wrote to memory of 3148	4512	RegSvcs.exe	101
PID 4512 wrote to memory of 4112	4512	RegSvcs.exe	103
PID 4512 wrote to memory of 4112	4512	RegSvcs.exe	103
PID 4512 wrote to memory of 4112	4512	RegSvcs.exe	103

C:\Users\Admin\AppData\Local\Temp\216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RHPIBA~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RHPIBA~1.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Roaming\WhTX.exe
    "C:\Users\Admin\AppData\Roaming\WhTX.exe" "C:\Users\Admin\AppData\Roaming\iXZCO"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\RWZ2VMBvk6.ini"
        5⤵
        
        PID:2792
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 80
        6⤵
        Program crash
        
        PID:3656
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\9Vv8IqpyQr.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\5EUAPpKuc9.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:728
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\FYkjEt8chL.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Nku1ZAn7Cj.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\KdUeDnut6U.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2768
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\TmjcVD7lUD.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\ppoq2zG34I.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:856
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\YrSWU7t2tM.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\381xZsBU4E.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3968
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3216
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\NAKgk3n4X9.ini"
        5⤵
        
        PID:4848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 80
        6⤵
        Program crash
        
        PID:212
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\ti0qM6kA1T.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2944
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1060
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\1rFoeWw2PC.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\OuK3BI5KzG.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3240
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:116
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\7wyjdQiJoL.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\81smreuDB5.ini"
        5⤵
        
        PID:3296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 80
        6⤵
        Program crash
        
        PID:4928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1336
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\OSOZnlAWPv.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3452
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\ATuRYcsaDU.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2528
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\UVEAjoUAgP.ini"
        5⤵
        
        PID:3924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 80
        6⤵
        Program crash
        
        PID:892
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\CUaGWH7CMA.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1704
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\OHWU7c7y6c.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\h6Oz0xjU63.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1492
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1220
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\0Ab2Fznhgd.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\HgcOUL0G0h.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1380
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\4taVW4iOIk.ini"
        5⤵
        
        PID:2036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 80
        6⤵
        Program crash
        
        PID:1164
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\mswbKYLQxV.ini"
        5⤵
        
        PID:4988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 80
        6⤵
        Program crash
        
        PID:2892
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2656
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\RqXClRSkX5.ini"
        5⤵
        
        PID:2292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 80
        6⤵
        Program crash
        
        PID:2944
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\UDYyWvIICH.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4052
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5080
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\dMowoMVAa0.ini"
        5⤵
        
        PID:4012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 80
        6⤵
        Program crash
        
        PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2792 -ip 2792
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4848 -ip 4848
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3296 -ip 3296
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3924 -ip 3924
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2036 -ip 2036
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4988 -ip 4988
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2292 -ip 2292
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4012 -ip 4012
1⤵
PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5EUAPpKuc9.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RHPIBA~1.EXE

Filesize
1.8MB

MD5
98c4f8e6cbf337a38504887861d63714

SHA1
a8988859b8d4b976680ee35c3598289fefdbc875

SHA256
6441cf49b87dc4b5e43fcbbf20c12efef3ba2ad9aebc4fbe10ac22c341ea67f2

SHA512
d5c316b36360576dfbffb53f513c618bfadff33f670878ccb4f46f3965c8ca308e8843be6d5ef942f04eb31277ae63a830662e156afe323b88d90592850af8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WhTX1

Filesize
915KB

MD5
4744edba858885bfe4d513e5ba6030ac

SHA1
7706ebc3097465571daf5bc0c26721a79e8b50c2

SHA256
b71c08e936ab72a27a822e2984a60e798591d2b71b352875f6aede464245724b

SHA512
14cf08f1227f320e36ed9b50de68fffea72393f59b921e81ad987f8cd19d9b3766f601063df474b99b6b948a8431232c900577ab633a3d8f13de0b2f69a36685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iXZCO

Filesize
492KB

MD5
af639e2097d320f5f1ab120d810da850

SHA1
2bd6e743fd19ce4c581cc53ab91314d45abf6044

SHA256
9e46e54f04d7a8642419db4f3e6d891476d2e1ddd2c339a2e87f82d11be221cc

SHA512
e5ea9c6b372be020eafe33214d1bdcb12358dbe2f47f63ca70039c1863a588d78a233478bb3712ef7ad7228f84470ec9aec34b2d1f50429cf7931760d3effb1c

Download Submit
C:\Users\Admin\AppData\Roaming\WhTX.exe

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Roaming\iXZCO

Filesize
369KB

MD5
3fcf27371696b46d07890a695f75f394

SHA1
bc58d4d7e64925b273acb91d9a15f9da62efc845

SHA256
9d0d58afacd8a5b08c2c8d0be5eee42f75d148d8de42b49914f8a390fbcf05ca

SHA512
06b5fc740bfe94520dbe349cb42e957cf0cd05c80224fb53b341b86d1eb101f6706fcd7234bbc06ce4ad8333010eab427685d5184031cb4e441de88d3929b896

Download Submit
memory/728-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/728-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/728-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/728-46-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1148-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4960-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4960-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4960-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4960-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download