Analysis Overview
SHA256
f3afc877ab527a6fac21360eadc1da5c9401740323d2ddef5e3bc40bcef70525
Threat Level: Known bad
The file 2su0b91u.exe was found to be: Known bad.
Malicious Activity Summary
PhoenixStealer
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2022-05-10 14:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-10 14:42
Reported
2022-05-10 14:42
Platform
win7-20220414-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-10 14:42
Reported
2022-05-10 14:44
Platform
win10v2004-20220414-en
Max time kernel
144s
Max time network
138s
Command Line
Signatures
PhoenixStealer
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2360 set thread context of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\2su0b91u.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\2su0b91u.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2360 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\2su0b91u.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2360 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\2su0b91u.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2360 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\2su0b91u.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2360 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\2su0b91u.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2su0b91u.exe
"C:\Users\Admin\AppData\Local\Temp\2su0b91u.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.msn.com | udp |
| US | 204.79.197.203:443 | api.msn.com | tcp |
| NL | 8.248.1.254:80 | tcp | |
| RU | 95.142.46.35:6666 | tcp | |
| NL | 52.178.17.3:443 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | tsfe.trafficshaping.dsp.mp.microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 3.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 67.24.25.254:80 | 3.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 67.24.25.254:80 | 3.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 4.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | 4.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 67.24.25.254:80 | 3.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 67.24.25.254:80 | 3.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.21.200:443 | tcp | |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 67.24.25.254:80 | 3.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | 4.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 2.tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 104.110.191.204:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | 4.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
Files
memory/2360-131-0x0000000000610000-0x0000000000AF8000-memory.dmp
memory/1456-135-0x0000000000400000-0x000000000048E000-memory.dmp
memory/1456-134-0x0000000000000000-mapping.dmp
memory/1456-142-0x0000000000400000-0x000000000048E000-memory.dmp