Analysis Overview
SHA256
723653126eb7214b142d0e0c6689158f3acebc548a38f704e979347e2290a5cc
Threat Level: Known bad
The file ce1e7349486456b3c57a5266260f3393 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
ISR Stealer payload
Nirsoft
NirSoft MailPassView
UPX packed file
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-16 12:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 12:58
Reported
2024-03-16 13:01
Platform
win7-20240215-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2084 set thread context of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe |
| PID 3048 set thread context of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe |
| PID 3048 set thread context of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe
"C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PdacbsPcya" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB0D8.tmp"
C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe
"C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe"
C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\hKTNHaq0Kw.ini"
C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\cjOMj91zUH.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.topeducation.org.in | udp |
| US | 172.67.149.118:80 | www.topeducation.org.in | tcp |
Files
memory/2084-1-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2084-0-0x0000000000C40000-0x0000000000D40000-memory.dmp
memory/2084-2-0x0000000004E90000-0x0000000004ED0000-memory.dmp
memory/2084-3-0x0000000000230000-0x0000000000248000-memory.dmp
memory/2084-4-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2084-5-0x0000000004E90000-0x0000000004ED0000-memory.dmp
memory/2084-6-0x0000000005750000-0x000000000580E000-memory.dmp
memory/2084-7-0x0000000000A90000-0x0000000000ADE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB0D8.tmp
| MD5 | 71e3a5246920afd66a9b0ebc05bb4097 |
| SHA1 | 7518ed4a040ccd2f6ba0313e78d4efa0c5b7f921 |
| SHA256 | 50f70cfb44cf6cd28489b06dba29607006b98b13a45d5e94e43c169b0af49b67 |
| SHA512 | b08d19e3e6a6b1521259ae236bae6fd5c49ba515d30bae794890e28d2ca2c62fe96595564067a26173537f80497d4d001d9fe905dfa1280e8730631adb0f1907 |
memory/3048-13-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3048-15-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3048-17-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3048-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3048-21-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2084-25-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2492-27-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2492-29-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2492-30-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2492-31-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2492-33-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hKTNHaq0Kw.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/320-35-0x0000000000400000-0x000000000041F000-memory.dmp
memory/320-37-0x0000000000400000-0x000000000041F000-memory.dmp
memory/320-38-0x0000000000400000-0x000000000041F000-memory.dmp
memory/320-39-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3048-40-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-16 12:58
Reported
2024-03-16 13:01
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
154s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1064 set thread context of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe |
| PID 5072 set thread context of 3852 | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe |
| PID 5072 set thread context of 780 | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe
"C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PdacbsPcya" /XML "C:\Users\Admin\AppData\Local\Temp\tmp899D.tmp"
C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe
"C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe"
C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\6qjDx3zxPu.ini"
C:\Users\Admin\AppData\Local\Temp\ce1e7349486456b3c57a5266260f3393.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\m9OVrAlS7H.ini"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 780 -ip 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 780 -ip 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 52
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.topeducation.org.in | udp |
| US | 172.67.149.118:80 | www.topeducation.org.in | tcp |
| US | 8.8.8.8:53 | 118.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
memory/1064-0-0x00000000752F0000-0x0000000075AA0000-memory.dmp
memory/1064-1-0x0000000000F40000-0x0000000001040000-memory.dmp
memory/1064-2-0x00000000059F0000-0x0000000005A8C000-memory.dmp
memory/1064-3-0x0000000006040000-0x00000000065E4000-memory.dmp
memory/1064-4-0x0000000005B30000-0x0000000005BC2000-memory.dmp
memory/1064-5-0x0000000005DA0000-0x0000000005DB0000-memory.dmp
memory/1064-6-0x0000000005AD0000-0x0000000005ADA000-memory.dmp
memory/1064-7-0x0000000005D20000-0x0000000005D76000-memory.dmp
memory/1064-8-0x0000000005CC0000-0x0000000005CD8000-memory.dmp
memory/1064-9-0x00000000752F0000-0x0000000075AA0000-memory.dmp
memory/1064-10-0x0000000005DA0000-0x0000000005DB0000-memory.dmp
memory/1064-11-0x0000000009630000-0x00000000096EE000-memory.dmp
memory/1064-12-0x000000000BE60000-0x000000000BEAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp899D.tmp
| MD5 | b8f7bda2e5262c04afc9ba7169921732 |
| SHA1 | d4306e109f44d94d86bc1bdf97416594a496a398 |
| SHA256 | c50efb60fe66b241117b2a73a4a87f06d3bd8201372defa73f982ce82d241448 |
| SHA512 | 81f97d8e6586b0c63b74f930f44afcbea449fd8ab41e13bdce5d5fd4205cbda605070a9c4f4aa28442fd20a27c807edacb063a7142129fee523100f3808fb011 |
memory/5072-18-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5072-21-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1064-24-0x00000000752F0000-0x0000000075AA0000-memory.dmp
memory/3852-25-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3852-27-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3852-28-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3852-29-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3852-31-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6qjDx3zxPu.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/5072-34-0x0000000000400000-0x0000000000442000-memory.dmp