isrstealer | 1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894

Analysis

max time kernel
102s
max time network
110s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
Size

438KB
MD5

e1a72ac50663dc79c2b9a1307ebd7fb9
SHA1

a58bc72414ad4a1e93f4207ddc3ea895f069faf7
SHA256

1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894
SHA512

e62fc674e5b09304ccf0e0fdab317006ac13e85c62529c1d379113a70ade0d7ad113cc4dcb50ba6342429b4bb729ca2d1816dc9780adffafac3dd364f9088e40
SSDEEP

12288:lQVvdu+ATmOHEZER9vcndFhtOdJxe1Q3jjN:lQvAbTmOsM987tOR

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 9 IoCs

resource	yara_rule
behavioral1/memory/1532-60-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1532-63-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1532-62-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1532-74-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1532-83-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/524-92-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/524-105-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1532-106-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/524-125-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1416-123-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1416-124-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/1416-123-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1416-124-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/816-68-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/816-72-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/816-73-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/816-75-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/816-80-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1056-101-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1056-102-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1056-103-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1416-118-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1416-122-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1416-123-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1416-124-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	takshost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 836 set thread context of 1532	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	27
PID 1532 set thread context of 816	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	28
PID 1532 set thread context of 0	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
PID 1700 set thread context of 524	1700	takshost.exe	32
PID 524 set thread context of 1056	524	takshost.exe	33
PID 524 set thread context of 1416	524	takshost.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	takshost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	takshost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
1700	takshost.exe
1700	takshost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
Token: SeDebugPrivilege	1700	takshost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
524	takshost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1532	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	27
PID 836 wrote to memory of 1532	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	27
PID 836 wrote to memory of 1532	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	27
PID 836 wrote to memory of 1532	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	27
PID 836 wrote to memory of 1532	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	27
PID 836 wrote to memory of 1532	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	27
PID 836 wrote to memory of 1532	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	27
PID 836 wrote to memory of 1532	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	27
PID 1532 wrote to memory of 816	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	28
PID 1532 wrote to memory of 816	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	28
PID 1532 wrote to memory of 816	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	28
PID 1532 wrote to memory of 816	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	28
PID 1532 wrote to memory of 816	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	28
PID 1532 wrote to memory of 816	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	28
PID 1532 wrote to memory of 816	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	28
PID 1532 wrote to memory of 816	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	28
PID 1532 wrote to memory of 816	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	28
PID 836 wrote to memory of 1700	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	29
PID 836 wrote to memory of 1700	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	29
PID 836 wrote to memory of 1700	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	29
PID 836 wrote to memory of 1700	836	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe	29
PID 1532 wrote to memory of 0	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
PID 1532 wrote to memory of 0	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
PID 1532 wrote to memory of 0	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
PID 1532 wrote to memory of 0	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
PID 1532 wrote to memory of 0	1532	1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
PID 1700 wrote to memory of 524	1700	takshost.exe	32
PID 1700 wrote to memory of 524	1700	takshost.exe	32
PID 1700 wrote to memory of 524	1700	takshost.exe	32
PID 1700 wrote to memory of 524	1700	takshost.exe	32
PID 1700 wrote to memory of 524	1700	takshost.exe	32
PID 1700 wrote to memory of 524	1700	takshost.exe	32
PID 1700 wrote to memory of 524	1700	takshost.exe	32
PID 1700 wrote to memory of 524	1700	takshost.exe	32
PID 524 wrote to memory of 1056	524	takshost.exe	33
PID 524 wrote to memory of 1056	524	takshost.exe	33
PID 524 wrote to memory of 1056	524	takshost.exe	33
PID 524 wrote to memory of 1056	524	takshost.exe	33
PID 524 wrote to memory of 1056	524	takshost.exe	33
PID 524 wrote to memory of 1056	524	takshost.exe	33
PID 524 wrote to memory of 1056	524	takshost.exe	33
PID 524 wrote to memory of 1056	524	takshost.exe	33
PID 524 wrote to memory of 1056	524	takshost.exe	33
PID 524 wrote to memory of 1416	524	takshost.exe	34
PID 524 wrote to memory of 1416	524	takshost.exe	34
PID 524 wrote to memory of 1416	524	takshost.exe	34
PID 524 wrote to memory of 1416	524	takshost.exe	34
PID 524 wrote to memory of 1416	524	takshost.exe	34
PID 524 wrote to memory of 1416	524	takshost.exe	34
PID 524 wrote to memory of 1416	524	takshost.exe	34
PID 524 wrote to memory of 1416	524	takshost.exe	34
PID 524 wrote to memory of 1416	524	takshost.exe	34

C:\Users\Admin\AppData\Local\Temp\1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
"C:\Users\Admin\AppData\Local\Temp\1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
  "C:\Users\Admin\AppData\Local\Temp\1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\1b1e3084cc098dd5088caa23b8d96219d5d906c1d71a44e0a0a0f28858867894.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\YiLa4wYV0O.ini"
    3⤵
    PID:816
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\HabGoXNDLt.ini"
      4⤵
      PID:1056
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\NvSEsP73Ip.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
76e7d5bf61b2e80d159f88aa9798ce91

SHA1
32a46de50c9c02b068e39cf49b78c7e2d5ace20d

SHA256
280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3

SHA512
5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
916c512d221c683beeea9d5cb311b0b0

SHA1
bf0db4b1c4566275b629efb095b6ff8857b5748e

SHA256
64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8

SHA512
af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C6872375A2E1BC120603F5605C3CEC71

Filesize
472B

MD5
130a5d22c58e851f569140b2329a9f11

SHA1
d6400f44b7d5ba08cd074f45d2002b66f8742080

SHA256
0495f3f59298ecb6fbea5c07a166d32bc33d0ae5a8f86351d4492f56bb62ffcd

SHA512
e8a8dd58038c92bb0750329fdab45d2b745c28a487f25f06669e7aabb547cc1b8a929bf7e63f07dcae80a56735dc439d662d07b2dc21323fe885e4b94d249f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
fefcdc16e8e2852a4f71347357e2728b

SHA1
8681eea222e21303743fe923bc485933cc4ed5c1

SHA256
e14c6b8df08568d57ab50d63f3e22d793208c373863aee1764d9fe8cec12eba0

SHA512
13e93e6f1958546b01b71285e9747712e62e9a0e3109658d869ba82c38ffadf5b1f7413eb90c95b5e48d0c1e42d51f0acf755877451b7f26a1dda6973a1a448c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cb694b76e59e004f6ce0a62ce99770a

SHA1
f64631306ce664f5f1d91db227afc5b595e31166

SHA256
ab24d7515c1f09f143c9e803019837120112213a7e8ce6efd78dac83c1098db1

SHA512
5d26a742736b7eaf31cebe134584865f55fd1aea9e0da7df39805a629c402740fe143e2e3df317acde57b67fdf76a8bb5339f5d2539170242e58f6eea098f04e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
47ffd8553ce942117aabf74318894664

SHA1
a4168c8ea08ab945b3bf0db8237fbef45c1da3d2

SHA256
2dbd1ac4d8f26038c05edb4143e781822e2716bc874eea5528c6b8054712c2be

SHA512
178061bf965bda0a6e71156734218c97c975e9f783bd035e06296e9ced2abca7c71ffc6538cbe853c7d06ad7219b1577d5c400ffe33796962c1145964157959d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6872375A2E1BC120603F5605C3CEC71

Filesize
484B

MD5
ac4c9cf43f2bed79a029c57c25a9f424

SHA1
58002a162e75c00351b570d946b4119d0cb6180f

SHA256
8fbf5a33f006b3371c52208202e8c848e2c95b1381c1851db7668151099ded15

SHA512
8e17162c87001383e95a3792de2c7409e77a86043e0a5f0ca7afaebecda24d18bd6e45e355d79c2556fddca87554e1b2bcbed39b094a3c4f6e7c92aff3731eef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HabGoXNDLt.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YiLa4wYV0O.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/0-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/524-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/816-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/816-68-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/816-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/816-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/816-75-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/836-55-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/836-79-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/836-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/836-56-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/1056-103-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-102-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-101-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1416-118-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1416-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1416-123-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1416-124-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-74-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1700-104-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/1700-84-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/1700-78-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download