Analysis Overview
SHA256
17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f
Threat Level: Known bad
The file 17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE ISRStealer Checkin
ISR Stealer
ISR Stealer Payload
NirSoft MailPassView
Nirsoft
UPX packed file
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-08 20:00
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-08 20:00
Reported
2022-06-08 23:16
Platform
win7-20220414-en
Max time kernel
44s
Max time network
48s
Command Line
Signatures
ISR Stealer
ISR Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
suricata: ET MALWARE ISRStealer Checkin
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1600 set thread context of 904 | N/A | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe |
| PID 904 set thread context of 1312 | N/A | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe |
| PID 904 set thread context of 1504 | N/A | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe
"C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe"
C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe
"C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe"
C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\aCFpajJviH.ini"
C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\1L14r75uTA.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.x12.me | udp |
| US | 198.54.117.211:80 | www.x12.me | tcp |
Files
memory/1600-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
memory/904-60-0x0000000000400000-0x0000000000442000-memory.dmp
memory/904-61-0x0000000000401180-mapping.dmp
memory/904-58-0x0000000000400000-0x0000000000442000-memory.dmp
memory/904-55-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1600-63-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/904-62-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1312-66-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1312-67-0x00000000004512E0-mapping.dmp
memory/1312-70-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1312-71-0x0000000000400000-0x0000000000453000-memory.dmp
memory/904-72-0x0000000000400000-0x0000000000442000-memory.dmp
memory/904-73-0x0000000002930000-0x0000000002B0F000-memory.dmp
memory/1312-74-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1312-75-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aCFpajJviH.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/1504-79-0x000000000041C410-mapping.dmp
memory/1504-82-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1504-78-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1504-83-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1504-84-0x0000000000400000-0x000000000041F000-memory.dmp
memory/904-85-0x00000000037D0000-0x00000000039AF000-memory.dmp
memory/904-86-0x0000000000400000-0x0000000000442000-memory.dmp
memory/904-87-0x0000000002930000-0x0000000002B0F000-memory.dmp
memory/904-88-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-08 20:00
Reported
2022-06-08 23:16
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
161s
Command Line
Signatures
ISR Stealer
ISR Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
suricata: ET MALWARE ISRStealer Checkin
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3044 set thread context of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe |
| PID 4232 set thread context of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe |
| PID 4232 set thread context of 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe
"C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe"
C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe
"C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe"
C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\kvTygraBjv.ini"
C:\Users\Admin\AppData\Local\Temp\17bae53213efafccaca9971d9b513ec3b33e03e745ed08b75d9ee43b9ca4351f.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\fW9e7BJx6s.ini"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | www.x12.me | udp |
| US | 198.54.117.216:80 | www.x12.me | tcp |
| NL | 52.178.17.2:443 | tcp |
Files
memory/3044-130-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3044-131-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/4232-132-0x0000000000000000-mapping.dmp
memory/4232-133-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4232-134-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4280-137-0x0000000000000000-mapping.dmp
memory/4280-138-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4280-140-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4280-141-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4232-142-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4280-143-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4280-144-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kvTygraBjv.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/3264-146-0x0000000000000000-mapping.dmp
memory/3264-147-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3264-149-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3264-150-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3264-151-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3264-152-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4232-153-0x0000000000400000-0x0000000000442000-memory.dmp