Analysis Overview
SHA256
5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147
Threat Level: Known bad
The file 5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer payload
ISR Stealer
Reads user/profile data of web browsers
UPX packed file
Suspicious use of SetThreadContext
AutoIT Executable
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-24 22:01
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-24 22:01
Reported
2024-06-24 22:04
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1484 set thread context of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe | C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe
"C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe"
C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe
"C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe"
C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\PxKZSpte9D.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cocksniper.comli.com | udp |
| US | 153.92.0.100:80 | cocksniper.comli.com | tcp |
Files
memory/1484-0-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1484-2-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1484-4-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1484-6-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1704-10-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1704-12-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1704-13-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1704-14-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1704-16-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PxKZSpte9D.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/1484-19-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1484-21-0x0000000000400000-0x0000000000464000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-24 22:01
Reported
2024-06-24 22:04
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
131s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4376 set thread context of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe | C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe |
| PID 1972 set thread context of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe | C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe
"C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe"
C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe
"C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe"
C:\Users\Admin\AppData\Local\Temp\5f23a90128fbb7b93efe0458b47a0b8f30f724bf43c462306c45e58f0d09e147.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\jzB9KT8H6s.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cocksniper.comli.com | udp |
| US | 153.92.0.100:80 | cocksniper.comli.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/1972-0-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1972-2-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1324-5-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1324-7-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1324-9-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1324-8-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1324-11-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jzB9KT8H6s.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/1972-14-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1972-16-0x0000000000400000-0x0000000000464000-memory.dmp