Overview

overview

10

Static

static

3

3e38444ba9...bN.exe

windows7-x64

10

3e38444ba9...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2025 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe

  • Size

    389KB

  • MD5

    7b8ca19e8b7133aa8de06bc67e686330

  • SHA1

    f347e1868be50a71042d9498955bc9ce48fef47a

  • SHA256

    3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469b

  • SHA512

    b4fd99b080d780d127e9384b52f78e309a4efd38aaa870f8fb52ca896db4c3c12cc581aac11a75ff8de8ddade43dffc76e38b99b8623fbda906bfcb637d6de62

  • SSDEEP

    6144:JtEVpyJD+zjjSKDCmSam8xOPC4sOwMrSWtDYR3x0/9Yz1i:JtEVpyJyzjjJ4aBmCQr50uF

Score
10/10
isrstealercollectiondiscoveryspywarestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 4 IoCs
  • Isrstealer family
    isrstealer
  • Detected Nirsoft tools 4 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 18 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 6 IoCs
    collection
  • Suspicious use of SetThreadContext 27 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
    "C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
      "C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\JPPyBpH9b2.ini"
        3⤵
          PID:1876
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 80
            4⤵
            • Program crash
            PID:4048
        • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\tmadILoVIi.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:5108
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsvc.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsvc.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1520
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4004
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\uCMEFBYOfO.ini"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3420
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\nhxArI6GAi.ini"
              5⤵
              • Executes dropped EXE
              PID:3660
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 80
                6⤵
                • Program crash
                PID:392
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsvc.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsvc.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4676
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4372
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\y3b42rJh5E.ini"
              5⤵
              • Executes dropped EXE
              PID:3560
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 80
                6⤵
                • Program crash
                PID:1644
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\HZRVM4oxfZ.ini"
              5⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:3928
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4584
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\H14U8TssvZ.ini"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:244
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\kZ8Ous54VT.ini"
              5⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:4108
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4288
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\wtq3oKhH4z.ini"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4524
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\nhy61oWzzH.ini"
              5⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:4460
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe"
            4⤵
            • Executes dropped EXE
            PID:4412
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe"
            4⤵
            • Executes dropped EXE
            PID:4704
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe"
            4⤵
            • Executes dropped EXE
            PID:4888
      • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
        "C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3844
        • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\3jj7aAcDCo.ini"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3892
        • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\rsIVgBJzr2.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:3484
      • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
        "C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe"
        2⤵
          PID:1692
        • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
          "C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe"
          2⤵
            PID:1572
          • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
            "C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe"
            2⤵
              PID:4064
            • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
              "C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1732
              • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\Uaoxf3YVxe.ini"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4408
              • C:\Users\Admin\AppData\Local\Temp\3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469bN.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\eVQ7qigu7F.ini"
                3⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:4612
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1876 -ip 1876
            1⤵
              PID:3020
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3660 -ip 3660
              1⤵
                PID:4368
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3560 -ip 3560
                1⤵
                  PID:2284

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\udpsvc.exe.log
                  Filesize

                  128B

                  MD5

                  a5dcc7c9c08af7dddd82be5b036a4416

                  SHA1

                  4f998ca1526d199e355ffb435bae111a2779b994

                  SHA256

                  e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

                  SHA512

                  56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\3jj7aAcDCo.ini
                  Filesize

                  5B

                  MD5

                  d1ea279fb5559c020a1b4137dc4de237

                  SHA1

                  db6f8988af46b56216a6f0daf95ab8c9bdb57400

                  SHA256

                  fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

                  SHA512

                  720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmgr.exe
                  Filesize

                  389KB

                  MD5

                  7b8ca19e8b7133aa8de06bc67e686330

                  SHA1

                  f347e1868be50a71042d9498955bc9ce48fef47a

                  SHA256

                  3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469b

                  SHA512

                  b4fd99b080d780d127e9384b52f78e309a4efd38aaa870f8fb52ca896db4c3c12cc581aac11a75ff8de8ddade43dffc76e38b99b8623fbda906bfcb637d6de62

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsvc.exe
                  Filesize

                  11KB

                  MD5

                  fc2e803e85d0c50ab6227dd79340f205

                  SHA1

                  122bf356ce10cb75d0a6b86ae921b9abc746487c

                  SHA256

                  6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

                  SHA512

                  8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

                  Download Submit

                • memory/1040-13-0x0000000000400000-0x0000000000442000-memory.dmp

                  Filesize

                  264KB

                  Download

                • memory/1040-39-0x0000000000400000-0x0000000000442000-memory.dmp

                  Filesize

                  264KB

                  Download

                • memory/1040-8-0x0000000000400000-0x0000000000442000-memory.dmp

                  Filesize

                  264KB

                  Download

                • memory/1040-10-0x0000000000400000-0x0000000000442000-memory.dmp

                  Filesize

                  264KB

                  Download

                • memory/1520-29-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/1520-30-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/1520-31-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/1520-48-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2080-1-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2080-4-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2080-5-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2080-0-0x00000000750E2000-0x00000000750E3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2080-32-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2080-2-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2080-66-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2080-3-0x00000000750E2000-0x00000000750E3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3420-76-0x0000000000400000-0x0000000000453000-memory.dmp

                  Filesize

                  332KB

                  Download

                • memory/3420-75-0x0000000000400000-0x0000000000453000-memory.dmp

                  Filesize

                  332KB

                  Download

                • memory/3484-52-0x0000000000400000-0x000000000041F000-memory.dmp

                  Filesize

                  124KB

                  Download

                • memory/3484-51-0x0000000000400000-0x000000000041F000-memory.dmp

                  Filesize

                  124KB

                  Download

                • memory/3892-44-0x0000000000400000-0x0000000000453000-memory.dmp

                  Filesize

                  332KB

                  Download

                • memory/3892-46-0x0000000000400000-0x0000000000453000-memory.dmp

                  Filesize

                  332KB

                  Download

                • memory/3892-45-0x0000000000400000-0x0000000000453000-memory.dmp

                  Filesize

                  332KB

                  Download

                • memory/3928-106-0x0000000000400000-0x000000000041F000-memory.dmp

                  Filesize

                  124KB

                  Download

                • memory/3928-105-0x0000000000400000-0x000000000041F000-memory.dmp

                  Filesize

                  124KB

                  Download

                • memory/4612-91-0x0000000000400000-0x000000000041F000-memory.dmp

                  Filesize

                  124KB

                  Download

                • memory/4612-92-0x0000000000400000-0x000000000041F000-memory.dmp

                  Filesize

                  124KB

                  Download

                • memory/4636-25-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4636-38-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4636-65-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4636-37-0x00000000750E2000-0x00000000750E3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4636-36-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4636-26-0x00000000750E0000-0x0000000075691000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4636-24-0x00000000750E2000-0x00000000750E3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4704-139-0x0000000000400000-0x0000000000402000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/5108-35-0x0000000000400000-0x000000000041F000-memory.dmp

                  Filesize

                  124KB

                  Download

                • memory/5108-34-0x0000000000400000-0x000000000041F000-memory.dmp

                  Filesize

                  124KB

                  Download

                • memory/5108-33-0x0000000000400000-0x000000000041F000-memory.dmp

                  Filesize

                  124KB

                  Download