Overview

overview

10

Static

static

3

[Suamaytin...60.exe

windows7-x64

3

[Suamaytin...60.exe

windows10-2004-x64

3

[Suamaytin...MS.exe

windows7-x64

10

[Suamaytin...MS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [Suamaytinhtainha115.VN] Windows 8 Loader/KMS.exe

  • Size

    276KB

  • MD5

    b8b585877875c3679754094ad1449c08

  • SHA1

    52a9df4e81d77a40f84e5cd2f192653da9eb80fb

  • SHA256

    12bd99618398b770106d8f0ecdbaa217cf9ba03c83bd24dbff4e7515f9d74ee6

  • SHA512

    4e83134e1ba25dc96ca75300dac182e82f0a281c602558327bc8838566643bb0bd31b68e437d230f71b10efa9a78cf8c673e3033b2de1d5406701b9470155c19

  • SSDEEP

    6144:CdhyTMe7zdIKCC0ef//uXltKc+LVsz9b894jvLXo6Jdmz:GutzdFeCXuLKcCVsz6ODLXo6K

Score
10/10
isrstealercollectiondiscoveryspywarestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 4 IoCs
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[Suamaytinhtainha115.VN] Windows 8 Loader\KMS.exe
    "C:\Users\Admin\AppData\Local\Temp\[Suamaytinhtainha115.VN] Windows 8 Loader\KMS.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Users\Admin\AppData\Local\Temp\spnls.exe
      "C:\Users\Admin\AppData\Local\Temp\spnls.exe" cvtres.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\tDINmbHDEi.ini"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1756
        • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\UXfUY8liTk.ini"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:1792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    Filesize

    1024B

    MD5

    54b1c45da8980b32759042e2c3c78dfb

    SHA1

    11e8bc2db98786c69e5dadf53d00ff3ee03d64f8

    SHA256

    9d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773

    SHA512

    73169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\spnls.exe
    Filesize

    259KB

    MD5

    030c425475913c419d2233c765eee6a5

    SHA1

    f1397a237c242dcda4b315c3e990b3e534c6e3c9

    SHA256

    1c8c5b5a623265d776c642708eeb5251bdcfde913f928c6369ab8121189fa8a7

    SHA512

    ec901e822272a8a7e2e24d782d5f6796b5a31294c5ef42488f671071467afd894cd5807e263808f584970d42663e1e2c809c325aeee82fbdee9f27e44026462d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tDINmbHDEi.ini
    Filesize

    5B

    MD5

    d1ea279fb5559c020a1b4137dc4de237

    SHA1

    db6f8988af46b56216a6f0daf95ab8c9bdb57400

    SHA256

    fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

    SHA512

    720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

    Download Submit

  • memory/1756-33-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1756-37-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1756-34-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1756-30-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1756-35-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1792-46-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1792-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1792-42-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1792-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1792-49-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2512-17-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2512-28-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2512-18-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2512-15-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4228-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4228-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4228-40-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4228-50-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4820-0-0x0000000075422000-0x0000000075423000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4820-16-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4820-2-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4820-1-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download