isrstealer | 82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7

Analysis

max time kernel
151s
max time network
147s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
Size

353KB
MD5

1041c042bc8df4867bf695689b9e20f4
SHA1

a622b90ae7c13a44730885b423e648b9c4dfd055
SHA256

82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7
SHA512

c1220c15af19d93b0ce70e654c77ad9ae0ef1cdf196f577ea065fda6a831ae679f33ffa9557afe7a14e5075d4477a8666f8bdb63582dffe8c906b0759fd2d223
SSDEEP

6144:/rYTogh5mqytL07iehf+iO0UnaTLJ/MWujqAclvdrachBbGqV:TDrihO1nILBjYqvoch

Score

10^/10

isrstealer collection persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/764-60-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/764-62-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/764-63-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/764-79-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/764-92-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/764-100-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1640-110-0x0000000000401180-mapping.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/860-90-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/860-91-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/860-90-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/860-91-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

IpOverUsbSvrc.exeatiesrx.exeatiesrx.exe

pid process

572 IpOverUsbSvrc.exe
1712 atiesrx.exe
1640 atiesrx.exe

pid	process
572	IpOverUsbSvrc.exe
1712	atiesrx.exe
1640	atiesrx.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1276-68-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1276-72-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1276-73-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1276-80-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1276-82-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/860-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/860-89-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/860-90-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/860-91-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exeIpOverUsbSvrc.exeatiesrx.exe

pid process

1696 82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572 IpOverUsbSvrc.exe
1712 atiesrx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exeatiesrx.exe

description	pid	process	target process
PID 1696 set thread context of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 set thread context of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 set thread context of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1712 set thread context of 1640	1712	atiesrx.exe	atiesrx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exeIpOverUsbSvrc.exeatiesrx.exe

pid	process
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
572	IpOverUsbSvrc.exe
572	IpOverUsbSvrc.exe
1712	atiesrx.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exeIpOverUsbSvrc.exeatiesrx.exe

description	pid	process
Token: SeDebugPrivilege	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
Token: SeDebugPrivilege	572	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	1712	atiesrx.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe

pid process

764 82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe

pid	process
764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exeIpOverUsbSvrc.exeatiesrx.exe

C:\Users\Admin\AppData\Local\Temp\82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
"C:\Users\Admin\AppData\Local\Temp\82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
"C:\Users\Admin\AppData\Local\Temp\82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\nWJV0CiIoT.ini"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\aNmHoTN1Bk.ini"
3⤵
- Accesses Microsoft Outlook accounts
PID:860

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
4⤵
- Executes dropped EXE
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nWJV0CiIoT.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
11KB

MD5
5249a17cb09bb8d857feb19c047a894b

SHA1
c9e8a8f6cf2d4f14c68b85f409a2d50a57114c79

SHA256
79c10fbcc5f86767857e5193096dcb866dff14e039da6bfa07c7cbd9095b99f1

SHA512
56bfecdc10e0d5e89a9fad91a033fe7f81c673e1167cd994fd5f57c126c02563d18d734713da82d3e30e47201920e49059ff169d0ba486d8be835688e0856d23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
11KB

MD5
5249a17cb09bb8d857feb19c047a894b

SHA1
c9e8a8f6cf2d4f14c68b85f409a2d50a57114c79

SHA256
79c10fbcc5f86767857e5193096dcb866dff14e039da6bfa07c7cbd9095b99f1

SHA512
56bfecdc10e0d5e89a9fad91a033fe7f81c673e1167cd994fd5f57c126c02563d18d734713da82d3e30e47201920e49059ff169d0ba486d8be835688e0856d23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
353KB

MD5
1041c042bc8df4867bf695689b9e20f4

SHA1
a622b90ae7c13a44730885b423e648b9c4dfd055

SHA256
82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7

SHA512
c1220c15af19d93b0ce70e654c77ad9ae0ef1cdf196f577ea065fda6a831ae679f33ffa9557afe7a14e5075d4477a8666f8bdb63582dffe8c906b0759fd2d223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
353KB

MD5
1041c042bc8df4867bf695689b9e20f4

SHA1
a622b90ae7c13a44730885b423e648b9c4dfd055

SHA256
82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7

SHA512
c1220c15af19d93b0ce70e654c77ad9ae0ef1cdf196f577ea065fda6a831ae679f33ffa9557afe7a14e5075d4477a8666f8bdb63582dffe8c906b0759fd2d223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
353KB

MD5
1041c042bc8df4867bf695689b9e20f4

SHA1
a622b90ae7c13a44730885b423e648b9c4dfd055

SHA256
82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7

SHA512
c1220c15af19d93b0ce70e654c77ad9ae0ef1cdf196f577ea065fda6a831ae679f33ffa9557afe7a14e5075d4477a8666f8bdb63582dffe8c906b0759fd2d223

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
11KB

MD5
5249a17cb09bb8d857feb19c047a894b

SHA1
c9e8a8f6cf2d4f14c68b85f409a2d50a57114c79

SHA256
79c10fbcc5f86767857e5193096dcb866dff14e039da6bfa07c7cbd9095b99f1

SHA512
56bfecdc10e0d5e89a9fad91a033fe7f81c673e1167cd994fd5f57c126c02563d18d734713da82d3e30e47201920e49059ff169d0ba486d8be835688e0856d23

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
353KB

MD5
1041c042bc8df4867bf695689b9e20f4

SHA1
a622b90ae7c13a44730885b423e648b9c4dfd055

SHA256
82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7

SHA512
c1220c15af19d93b0ce70e654c77ad9ae0ef1cdf196f577ea065fda6a831ae679f33ffa9557afe7a14e5075d4477a8666f8bdb63582dffe8c906b0759fd2d223

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
353KB

MD5
1041c042bc8df4867bf695689b9e20f4

SHA1
a622b90ae7c13a44730885b423e648b9c4dfd055

SHA256
82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7

SHA512
c1220c15af19d93b0ce70e654c77ad9ae0ef1cdf196f577ea065fda6a831ae679f33ffa9557afe7a14e5075d4477a8666f8bdb63582dffe8c906b0759fd2d223

Download Submit
memory/572-93-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/572-75-0x0000000000000000-mapping.dmp

Download
memory/572-81-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/764-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/764-100-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/764-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/764-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/764-63-0x0000000000401180-mapping.dmp

Download
memory/764-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/764-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/764-92-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/860-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-89-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-86-0x000000000041C410-mapping.dmp

Download
memory/1276-68-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-82-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-69-0x00000000004512E0-mapping.dmp

Download
memory/1640-110-0x0000000000401180-mapping.dmp

Download
memory/1696-102-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-56-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-55-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-99-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-101-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-96-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 764	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 1276	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 1696 wrote to memory of 572	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	IpOverUsbSvrc.exe
PID 1696 wrote to memory of 572	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	IpOverUsbSvrc.exe
PID 1696 wrote to memory of 572	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	IpOverUsbSvrc.exe
PID 1696 wrote to memory of 572	1696	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	IpOverUsbSvrc.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 764 wrote to memory of 860	764	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe	82e2e44047a6f9f754d4d223aa977e16a0724fed7efb7a90b5d6fe5e0976eca7.exe
PID 572 wrote to memory of 1712	572	IpOverUsbSvrc.exe	atiesrx.exe
PID 572 wrote to memory of 1712	572	IpOverUsbSvrc.exe	atiesrx.exe
PID 572 wrote to memory of 1712	572	IpOverUsbSvrc.exe	atiesrx.exe
PID 572 wrote to memory of 1712	572	IpOverUsbSvrc.exe	atiesrx.exe
PID 572 wrote to memory of 1712	572	IpOverUsbSvrc.exe	atiesrx.exe
PID 572 wrote to memory of 1712	572	IpOverUsbSvrc.exe	atiesrx.exe
PID 572 wrote to memory of 1712	572	IpOverUsbSvrc.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe
PID 1712 wrote to memory of 1640	1712	atiesrx.exe	atiesrx.exe