Analysis Overview
SHA256
e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0
Threat Level: Known bad
The file e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer payload
ISR Stealer
NirSoft MailPassView
Nirsoft
UPX packed file
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-11 14:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-11 14:38
Reported
2022-10-11 22:05
Platform
win7-20220812-en
Max time kernel
43s
Max time network
48s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1896 set thread context of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe |
| PID 2020 set thread context of 1512 | N/A | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe |
| PID 2020 set thread context of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe
"C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe"
C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe
C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe
C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\hdfS1OGCTG.ini"
C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\iRB81ZzWj2.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | puriexports.info | udp |
Files
memory/1896-54-0x0000000076181000-0x0000000076183000-memory.dmp
memory/2020-55-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2020-56-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2020-58-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1896-62-0x0000000000250000-0x0000000000254000-memory.dmp
memory/2020-61-0x0000000000401180-mapping.dmp
memory/2020-60-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1512-66-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1512-67-0x00000000004512E0-mapping.dmp
memory/1512-70-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1512-71-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2020-72-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1512-73-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1512-74-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hdfS1OGCTG.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/1604-78-0x000000000041C410-mapping.dmp
memory/1604-77-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1604-81-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1604-82-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1604-83-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2020-84-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2020-85-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-11 14:38
Reported
2022-10-11 22:06
Platform
win10v2004-20220812-en
Max time kernel
168s
Max time network
172s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4068 set thread context of 4544 | N/A | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe |
| PID 4544 set thread context of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe |
| PID 4544 set thread context of 1488 | N/A | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe | C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe
"C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe"
C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe
C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe
C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\Zdj14BEJ7V.ini"
C:\Users\Admin\AppData\Local\Temp\e9aa538880b28eaf56908bf44eb2d0db6690c9588224d68fc7f7ed50cb2022c0.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\N0yNLKNEuY.ini"
Network
| Country | Destination | Domain | Proto |
| IE | 20.123.104.105:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | puriexports.info | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/4544-132-0x0000000000000000-mapping.dmp
memory/4544-133-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4068-135-0x0000000000A70000-0x0000000000A74000-memory.dmp
memory/4544-138-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2088-139-0x0000000000000000-mapping.dmp
memory/2088-140-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2088-142-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2088-143-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2088-144-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Zdj14BEJ7V.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/1488-146-0x0000000000000000-mapping.dmp
memory/1488-147-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1488-149-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1488-150-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1488-151-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4544-152-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4544-153-0x0000000000400000-0x0000000000442000-memory.dmp