Analysis Overview
SHA256
862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25
Threat Level: Known bad
The file 862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
ISR Stealer payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-04 01:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-04 01:45
Reported
2022-10-04 10:59
Platform
win7-20220812-en
Max time kernel
57s
Max time network
60s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\talking.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\talking.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\talking.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1672 set thread context of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\talking.exe | C:\Users\Admin\AppData\Local\Temp\talking.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\talking.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe
"C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe"
C:\Users\Admin\AppData\Local\Temp\talking.exe
"C:\Users\Admin\AppData\Local\Temp\talking.exe"
C:\Users\Admin\AppData\Local\Temp\talking.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\KtLxufi9l7.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ronald.uphero.com | udp |
| US | 153.92.0.100:80 | ronald.uphero.com | tcp |
| US | 8.8.8.8:53 | www.000webhost.com | udp |
Files
\Users\Admin\AppData\Local\Temp\talking.exe
| MD5 | ad1d36fffa782a1807f7258d82d6dc1f |
| SHA1 | c871c0daed368cfe12a6b1fd2dddd1ffcc895927 |
| SHA256 | 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3 |
| SHA512 | 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4 |
\Users\Admin\AppData\Local\Temp\talking.exe
| MD5 | ad1d36fffa782a1807f7258d82d6dc1f |
| SHA1 | c871c0daed368cfe12a6b1fd2dddd1ffcc895927 |
| SHA256 | 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3 |
| SHA512 | 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4 |
memory/1672-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\talking.exe
| MD5 | ad1d36fffa782a1807f7258d82d6dc1f |
| SHA1 | c871c0daed368cfe12a6b1fd2dddd1ffcc895927 |
| SHA256 | 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3 |
| SHA512 | 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4 |
\Users\Admin\AppData\Local\Temp\talking.exe
| MD5 | ad1d36fffa782a1807f7258d82d6dc1f |
| SHA1 | c871c0daed368cfe12a6b1fd2dddd1ffcc895927 |
| SHA256 | 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3 |
| SHA512 | 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4 |
C:\Users\Admin\AppData\Local\Temp\talking.exe
| MD5 | ad1d36fffa782a1807f7258d82d6dc1f |
| SHA1 | c871c0daed368cfe12a6b1fd2dddd1ffcc895927 |
| SHA256 | 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3 |
| SHA512 | 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4 |
memory/1500-62-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\talking.exe
| MD5 | ad1d36fffa782a1807f7258d82d6dc1f |
| SHA1 | c871c0daed368cfe12a6b1fd2dddd1ffcc895927 |
| SHA256 | 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3 |
| SHA512 | 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4 |
memory/1500-63-0x00000000004512E0-mapping.dmp
memory/1500-66-0x0000000075DA1000-0x0000000075DA3000-memory.dmp
memory/1500-67-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1500-68-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1500-69-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1500-70-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KtLxufi9l7.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-04 01:45
Reported
2022-10-04 10:59
Platform
win10v2004-20220812-en
Max time kernel
99s
Max time network
170s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\talking.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\talking.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2720 set thread context of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\talking.exe | C:\Users\Admin\AppData\Local\Temp\talking.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\talking.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe
"C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe"
C:\Users\Admin\AppData\Local\Temp\talking.exe
"C:\Users\Admin\AppData\Local\Temp\talking.exe"
C:\Users\Admin\AppData\Local\Temp\talking.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\TfPaWISy2y.ini"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | ronald.uphero.com | udp |
| US | 153.92.0.100:80 | ronald.uphero.com | tcp |
| US | 20.189.173.1:443 | tcp | |
| US | 8.8.8.8:53 | www.000webhost.com | udp |
| US | 104.19.184.120:443 | www.000webhost.com | tcp |
| US | 104.19.185.120:443 | www.000webhost.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/2720-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\talking.exe
| MD5 | ad1d36fffa782a1807f7258d82d6dc1f |
| SHA1 | c871c0daed368cfe12a6b1fd2dddd1ffcc895927 |
| SHA256 | 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3 |
| SHA512 | 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4 |
C:\Users\Admin\AppData\Local\Temp\talking.exe
| MD5 | ad1d36fffa782a1807f7258d82d6dc1f |
| SHA1 | c871c0daed368cfe12a6b1fd2dddd1ffcc895927 |
| SHA256 | 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3 |
| SHA512 | 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4 |
memory/4500-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\talking.exe
| MD5 | ad1d36fffa782a1807f7258d82d6dc1f |
| SHA1 | c871c0daed368cfe12a6b1fd2dddd1ffcc895927 |
| SHA256 | 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3 |
| SHA512 | 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4 |
memory/4500-141-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4500-144-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4500-145-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4500-146-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TfPaWISy2y.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |