Analysis Overview
SHA256
2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8
Threat Level: Known bad
The file 2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
ISR Stealer payload
NirSoft MailPassView
Nirsoft
UPX packed file
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-03 08:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-03 08:16
Reported
2022-10-04 18:20
Platform
win7-20220901-en
Max time kernel
47s
Max time network
51s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 960 set thread context of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe |
| PID 2008 set thread context of 1484 | N/A | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe |
| PID 2008 set thread context of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe
"C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe"
C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe
C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe
C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\y5IXwGvPEp.ini"
C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\FNn4q99IXB.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pruintco.com | udp |
Files
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp
memory/2008-55-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2008-56-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2008-58-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2008-60-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2008-61-0x0000000000401180-mapping.dmp
memory/960-62-0x0000000000220000-0x0000000000224000-memory.dmp
memory/1484-66-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1484-67-0x00000000004512E0-mapping.dmp
memory/1484-70-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1484-71-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2008-72-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1484-73-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1484-74-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\y5IXwGvPEp.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/2008-77-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1920-79-0x000000000041C410-mapping.dmp
memory/1920-78-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1920-82-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1920-83-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1920-84-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2008-85-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-03 08:16
Reported
2022-10-04 18:20
Platform
win10v2004-20220901-en
Max time kernel
91s
Max time network
135s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4584 set thread context of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe |
| PID 2960 set thread context of 3344 | N/A | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe |
| PID 2960 set thread context of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe
"C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe"
C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe
C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe
C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\BuVpFk9fe1.ini"
C:\Users\Admin\AppData\Local\Temp\2a5fe61d1a62b027fa486dec0ce1d977c6ab4b99894ee057bcc11458330adef8.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\xVdw300OLV.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pruintco.com | udp |
| NL | 104.80.225.205:443 | tcp | |
| US | 20.189.173.4:443 | tcp | |
| US | 8.253.183.120:80 | tcp | |
| US | 8.253.183.120:80 | tcp | |
| US | 8.253.183.120:80 | tcp |
Files
memory/4584-132-0x00000000005B0000-0x00000000005B4000-memory.dmp
memory/2960-133-0x0000000000000000-mapping.dmp
memory/2960-134-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3344-138-0x0000000000000000-mapping.dmp
memory/3344-139-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3344-141-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3344-142-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3344-143-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2960-144-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BuVpFk9fe1.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/1876-146-0x0000000000000000-mapping.dmp
memory/1876-147-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1876-149-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1876-150-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1876-151-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2960-152-0x0000000000400000-0x0000000000442000-memory.dmp