Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-01-2025 01:03
General
-
Target
DOCUMENT.exe
-
Size
941KB
-
MD5
752ce2568a7b41a0fcbbc5f417ffccc3
-
SHA1
864e7e6514a207df0b70066eecd6126becb1ff09
-
SHA256
7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e
-
SHA512
70e58cde454e360df36784f48b2795a96d4f8fadc797d6667bff73a4b217518584177972398eaa5d12d082301ee8bd37c148d05b0da39ffb51b5da6650f84538
-
SSDEEP
12288:5at0EAH49n8B7CnN/j2+T0BWLkGLbWgNIwY6Cuw78YOJEn1GUEVQqYHQFOH9LPsN:It24RNj2+TGqkOhNSu68GGUEtsh7N10N
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 6 IoCs
-
Isrstealer family
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AcrbRd32.exe"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI2⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\GfIJCcLihM.ini"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\bjVbHkd0yH.ini"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 805⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AcrbRd32.exe"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI4⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\wPfPRT9BWB.ini"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\BzgD1kpnQQ.ini"6⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AcrbRd32.exe"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI6⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\6MZSuFIJUC.ini"8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\JF3hhL9SYe.ini"8⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AcrbRd32.exe"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 928 -ip 9281⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
915KB
MD5e01ced5c12390ff5256694eda890b33a
SHA10bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA25666c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA51293a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
778B
MD51424229d31e7d66f07c59008e25a141d
SHA1300390e5819cf9bf5841e2abee761a73bac7a217
SHA25626b2246f12f17391a1462741fe8cc10db5d601f28dbdb2a93b9065864ee62b59
SHA512741d3ea5bd61966c900e3dcf50e01425b7ed58454af3a4610e936e367af25e096d409a5667ea6c7497281108a19e67beeddb2e43920710047870356c61fda866
-
Filesize
176B
MD51228f4d84a443e3d51b75f8eb64c1512
SHA1b50c2d7b56347eff07caaa9cb5a4e03e21efd17f
SHA2565fb2f55f742ac03bd5a3abe456d0d20759d7edfe28019d7c1e537207371b51e1
SHA512eb31a83149d55af2693e4658217dbbc510b0972be26ade4d9141f9a7693fff41d0cac68c94f5a7c4025acf77f0bce9ecf184345f6a125c1f8144b5922e9469be
-
Filesize
260KB
MD5ed3eca3289c83b6d3c968b39c7c5b62a
SHA12c61640cc67926638e7584a4045e7d29cb95b0ba
SHA2562242aee6f8ecb743d05f06dddd20545d833bf1b11362b9f8cead0b2791eb8ecc
SHA512ebb5ad68773bf5566ae7c2f93a667224a3060b18bbbf1638eb59c0a49475c3fc9d797ed77ed0895dcf5fdf1e6d37706dc0965db54828f496c6b92868206fdb36
-
Filesize
32.7MB
MD59e013adda1d29031a077de6f7d5f4611
SHA130af3e0fd8de2a3a80ca8e00784724bb50ca572e
SHA256653506def41220c523a49df251f861a84507174ff1e7bf0e5a2c4e662d30f8f0
SHA5120e33d6670e88047509bf28c0e3c64327bf35d397908367b15404ac858e8f0506f38e2705f19aec32c74f49f7ba1dfc6fafa92ea0c8b285102990fbdd1f43c76d
-
Filesize
89B
MD5a12b2136ef3b5697cff8528aafc904fe
SHA1d911834b5f8b0c7b71f4f8e2258d510c1e42e9e9
SHA2560738ae023c1220e39d62a54db1f19f8eab832c1e8787b0858574056bf2cfc43c
SHA51299d58123ce2dbcc8a702da42c6bf8a2d2f1ee0bd5e4eba8f43da0ee757ca074fb3c57546ee103b4976109fdb7d7a0ad59cf2da75f4becde22055db315d8bdb47
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
264KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB