Analysis Overview
SHA256
3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4
Threat Level: Known bad
The file 3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
suricata: ET MALWARE ISRStealer Checkin
ISR Stealer Payload
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-12 23:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-12 23:42
Reported
2022-06-13 05:33
Platform
win7-20220414-en
Max time kernel
39s
Max time network
43s
Command Line
Signatures
ISR Stealer
ISR Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1472 set thread context of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe
"C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
Network
Files
memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmp
memory/1472-55-0x0000000074290000-0x000000007483B000-memory.dmp
memory/752-56-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 32827e69b293b99013bbbe37d029245d |
| SHA1 | bc9f80a38f09354d71467a05b0c5a82c3f7dac53 |
| SHA256 | 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f |
| SHA512 | 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5 |
memory/1828-58-0x0000000000080000-0x00000000000C2000-memory.dmp
memory/1828-59-0x0000000000080000-0x00000000000C2000-memory.dmp
memory/1828-61-0x0000000000080000-0x00000000000C2000-memory.dmp
memory/1828-64-0x0000000000401180-mapping.dmp
memory/1828-66-0x0000000000080000-0x00000000000C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 32827e69b293b99013bbbe37d029245d |
| SHA1 | bc9f80a38f09354d71467a05b0c5a82c3f7dac53 |
| SHA256 | 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f |
| SHA512 | 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5 |
memory/1472-68-0x0000000074290000-0x000000007483B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-12 23:42
Reported
2022-06-13 05:33
Platform
win10v2004-20220414-en
Max time kernel
94s
Max time network
159s
Command Line
Signatures
ISR Stealer
ISR Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
suricata: ET MALWARE ISRStealer Checkin
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4920 set thread context of 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 3392 set thread context of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 3392 set thread context of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe
"C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\5tSJpxgezC.ini"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\Y3ysOYeewZ.ini"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1584 -ip 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 80
Network
| Country | Destination | Domain | Proto |
| NL | 67.26.105.254:80 | tcp | |
| US | 20.189.173.10:443 | tcp | |
| US | 8.8.8.8:53 | chayto.com.ar | udp |
| CA | 149.56.22.100:80 | chayto.com.ar | tcp |
| US | 67.24.25.254:80 | tcp | |
| US | 67.24.25.254:80 | tcp | |
| US | 67.24.25.254:80 | tcp |
Files
memory/4920-130-0x00000000751C0000-0x0000000075771000-memory.dmp
memory/452-131-0x0000000000000000-mapping.dmp
memory/4920-132-0x00000000751C0000-0x0000000075771000-memory.dmp
memory/3392-133-0x0000000000000000-mapping.dmp
memory/3392-134-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 1c9ff7df71493896054a91bee0322ebf |
| SHA1 | 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4 |
| SHA256 | e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa |
| SHA512 | aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab |
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 1c9ff7df71493896054a91bee0322ebf |
| SHA1 | 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4 |
| SHA256 | e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa |
| SHA512 | aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab |
memory/3392-138-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2364-141-0x0000000000000000-mapping.dmp
memory/2364-142-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 1c9ff7df71493896054a91bee0322ebf |
| SHA1 | 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4 |
| SHA256 | e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa |
| SHA512 | aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab |
memory/2364-145-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2364-146-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3392-147-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2364-148-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5tSJpxgezC.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/4920-150-0x00000000751C0000-0x0000000075771000-memory.dmp
memory/3392-151-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2364-152-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1584-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 1c9ff7df71493896054a91bee0322ebf |
| SHA1 | 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4 |
| SHA256 | e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa |
| SHA512 | aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab |
memory/3392-156-0x0000000000400000-0x0000000000442000-memory.dmp