Analysis Overview
SHA256
403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0
Threat Level: Known bad
The file 403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
ISR Stealer payload
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-19 02:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-19 02:15
Reported
2022-09-19 03:18
Platform
win7-20220812-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1760 set thread context of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | C:\Users\Admin\AppData\Local\Temp\006.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe
"C:\Users\Admin\AppData\Local\Temp\403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe"
C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe"
C:\Users\Admin\AppData\Local\Temp\006.exe
"C:\Users\Admin\AppData\Local\Temp\006.exe"
C:\Users\Admin\AppData\Local\Temp\006.exe
"C:\Users\Admin\AppData\Local\Temp\006.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.rapidgens.info | udp |
Files
memory/1088-54-0x0000000075241000-0x0000000075243000-memory.dmp
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
memory/1788-57-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
C:\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
memory/1760-65-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
C:\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
memory/1788-77-0x0000000074200000-0x00000000747AB000-memory.dmp
memory/1788-78-0x0000000074200000-0x00000000747AB000-memory.dmp
\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
memory/1924-80-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
memory/1924-81-0x00000000004011F0-mapping.dmp
\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
memory/1924-90-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1924-91-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-19 02:15
Reported
2022-09-19 03:18
Platform
win10v2004-20220812-en
Max time kernel
104s
Max time network
151s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 824 set thread context of 3480 | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | C:\Users\Admin\AppData\Local\Temp\006.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\006.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe
"C:\Users\Admin\AppData\Local\Temp\403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe"
C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe"
C:\Users\Admin\AppData\Local\Temp\006.exe
"C:\Users\Admin\AppData\Local\Temp\006.exe"
C:\Users\Admin\AppData\Local\Temp\006.exe
"C:\Users\Admin\AppData\Local\Temp\006.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | www.rapidgens.info | udp |
| US | 93.184.221.240:80 | tcp | |
| DE | 51.116.253.170:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/2232-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
| MD5 | c4efbd75828df685ab7e1740e7bcd157 |
| SHA1 | 687710f3569b294645aa026acdf78106c3d38e2c |
| SHA256 | 2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799 |
| SHA512 | 6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8 |
memory/824-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
C:\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
memory/2232-140-0x00000000748A0000-0x0000000074E51000-memory.dmp
memory/2232-141-0x00000000748A0000-0x0000000074E51000-memory.dmp
memory/3480-142-0x0000000000000000-mapping.dmp
memory/3480-143-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\006.exe
| MD5 | e63538bc7a919c82168acde031f1d0f9 |
| SHA1 | ab1363fcb0be44ed3a33dd96a9ab5400b04fe255 |
| SHA256 | 0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50 |
| SHA512 | cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e |
memory/3480-148-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3480-149-0x0000000000400000-0x0000000000414000-memory.dmp