Analysis
-
max time kernel
100s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 07:09
Static task
static1
Behavioral task
behavioral1
Sample
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
Resource
win10v2004-20220414-en
General
-
Target
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
-
Size
2.1MB
-
MD5
afbf38eb9f1cae4703aa9ffc1e37ec65
-
SHA1
6b58fa4ffcfa1198c89cefb846975c8d5263855a
-
SHA256
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e
-
SHA512
5e5ec46a1ffbcf41d7f1885384111c163b20814ee1c308d8215511dbb41447d50bf1eec6d3f10261610fea4d4add7f409fd8a286e47f13d3c2a85d723dd09d6e
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Isass.exe -
Executes dropped EXE 1 IoCs
Processes:
Isass.exepid process 1176 Isass.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Isass.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Isass.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1416 cmd.exe -
Drops startup file 1 IoCs
Processes:
cscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Isass.lnk cscript.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine Isass.exe -
Loads dropped DLL 2 IoCs
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.execscript.exepid process 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe 1000 cscript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Isass.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows_Antimalware_Host_Syst = "C:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\Isass.exe" Isass.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exepid process 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe 1176 Isass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1968 schtasks.exe 1220 schtasks.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 904 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exepid process 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe 1176 Isass.exe 1176 Isass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 904 taskkill.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.execmd.execmd.exedescription pid process target process PID 1120 wrote to memory of 1176 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Isass.exe PID 1120 wrote to memory of 1176 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Isass.exe PID 1120 wrote to memory of 1176 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Isass.exe PID 1120 wrote to memory of 1176 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Isass.exe PID 1120 wrote to memory of 1416 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe cmd.exe PID 1120 wrote to memory of 1416 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe cmd.exe PID 1120 wrote to memory of 1416 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe cmd.exe PID 1120 wrote to memory of 1416 1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe cmd.exe PID 1176 wrote to memory of 1968 1176 Isass.exe schtasks.exe PID 1176 wrote to memory of 1968 1176 Isass.exe schtasks.exe PID 1176 wrote to memory of 1968 1176 Isass.exe schtasks.exe PID 1176 wrote to memory of 1968 1176 Isass.exe schtasks.exe PID 1416 wrote to memory of 904 1416 cmd.exe taskkill.exe PID 1416 wrote to memory of 904 1416 cmd.exe taskkill.exe PID 1416 wrote to memory of 904 1416 cmd.exe taskkill.exe PID 1416 wrote to memory of 904 1416 cmd.exe taskkill.exe PID 1176 wrote to memory of 1220 1176 Isass.exe schtasks.exe PID 1176 wrote to memory of 1220 1176 Isass.exe schtasks.exe PID 1176 wrote to memory of 1220 1176 Isass.exe schtasks.exe PID 1176 wrote to memory of 1220 1176 Isass.exe schtasks.exe PID 1176 wrote to memory of 1484 1176 Isass.exe cmd.exe PID 1176 wrote to memory of 1484 1176 Isass.exe cmd.exe PID 1176 wrote to memory of 1484 1176 Isass.exe cmd.exe PID 1176 wrote to memory of 1484 1176 Isass.exe cmd.exe PID 1484 wrote to memory of 1000 1484 cmd.exe cscript.exe PID 1484 wrote to memory of 1000 1484 cmd.exe cscript.exe PID 1484 wrote to memory of 1000 1484 cmd.exe cscript.exe PID 1484 wrote to memory of 1000 1484 cmd.exe cscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe"C:\Users\Admin\AppData\Local\Temp\3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe"C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 30 /TN "Windows_Antimalware_Host" /TR "C:\ProgramData\WindowsAppCertification\checker.vbs" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 5 /TN "Windows_Antimalware_Host_Systm" /TR "C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Set oWS = WScript.CreateObject("WScript.Shell") > CreateShortcut.vbs & echo sLinkFile = "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Isass.lnk" >> CreateShortcut.vbs & echo Set oLink = oWS.CreateShortcut(sLinkFile) >> CreateShortcut.vbs & echo oLink.TargetPath = "C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe" >> CreateShortcut.vbs & echo oLink.Save >> CreateShortcut.vbs & cscript CreateShortcut.vbs & del CreateShortcut.vbs3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript CreateShortcut.vbs4⤵
- Drops startup file
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe /f & erase C:\Users\Admin\AppData\Local\Temp\3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exeFilesize
2.1MB
MD5afbf38eb9f1cae4703aa9ffc1e37ec65
SHA16b58fa4ffcfa1198c89cefb846975c8d5263855a
SHA2563e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e
SHA5125e5ec46a1ffbcf41d7f1885384111c163b20814ee1c308d8215511dbb41447d50bf1eec6d3f10261610fea4d4add7f409fd8a286e47f13d3c2a85d723dd09d6e
-
C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exeFilesize
2.1MB
MD5afbf38eb9f1cae4703aa9ffc1e37ec65
SHA16b58fa4ffcfa1198c89cefb846975c8d5263855a
SHA2563e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e
SHA5125e5ec46a1ffbcf41d7f1885384111c163b20814ee1c308d8215511dbb41447d50bf1eec6d3f10261610fea4d4add7f409fd8a286e47f13d3c2a85d723dd09d6e
-
C:\Users\Admin\AppData\Local\Temp\CreateShortcut.vbsFilesize
301B
MD53d15afe532f8557346923c203c3ac844
SHA19fe087e6f38776dedb070ad49685c16e37580f0c
SHA256e09cdf3b409359ce825a2f2d7374bfc0e2ec73918c0b8a99bf82020983b5f061
SHA5129237ab885672933005fc1b0a7794f615336da16981a7e1e5d2b4821e3c443a3a608658c144b41b61334eba2284e79b2ace5a6df2ffc73709d2c83d5f0a40bfd0
-
\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exeFilesize
2.1MB
MD5afbf38eb9f1cae4703aa9ffc1e37ec65
SHA16b58fa4ffcfa1198c89cefb846975c8d5263855a
SHA2563e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e
SHA5125e5ec46a1ffbcf41d7f1885384111c163b20814ee1c308d8215511dbb41447d50bf1eec6d3f10261610fea4d4add7f409fd8a286e47f13d3c2a85d723dd09d6e
-
\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exeFilesize
2.1MB
MD5afbf38eb9f1cae4703aa9ffc1e37ec65
SHA16b58fa4ffcfa1198c89cefb846975c8d5263855a
SHA2563e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e
SHA5125e5ec46a1ffbcf41d7f1885384111c163b20814ee1c308d8215511dbb41447d50bf1eec6d3f10261610fea4d4add7f409fd8a286e47f13d3c2a85d723dd09d6e
-
memory/904-71-0x0000000000000000-mapping.dmp
-
memory/1000-76-0x0000000000000000-mapping.dmp
-
memory/1120-73-0x0000000077880000-0x0000000077A00000-memory.dmpFilesize
1.5MB
-
memory/1120-58-0x0000000000320000-0x00000000007D5000-memory.dmpFilesize
4.7MB
-
memory/1120-61-0x0000000002E70000-0x0000000003325000-memory.dmpFilesize
4.7MB
-
memory/1120-55-0x0000000076721000-0x0000000076723000-memory.dmpFilesize
8KB
-
memory/1120-59-0x0000000077880000-0x0000000077A00000-memory.dmpFilesize
1.5MB
-
memory/1120-56-0x0000000077880000-0x0000000077A00000-memory.dmpFilesize
1.5MB
-
memory/1120-69-0x0000000000320000-0x00000000007D5000-memory.dmpFilesize
4.7MB
-
memory/1120-57-0x0000000000320000-0x00000000007D5000-memory.dmpFilesize
4.7MB
-
memory/1120-54-0x0000000000320000-0x00000000007D5000-memory.dmpFilesize
4.7MB
-
memory/1176-68-0x0000000077880000-0x0000000077A00000-memory.dmpFilesize
1.5MB
-
memory/1176-75-0x0000000001190000-0x0000000001645000-memory.dmpFilesize
4.7MB
-
memory/1176-62-0x0000000000000000-mapping.dmp
-
memory/1176-78-0x0000000077880000-0x0000000077A00000-memory.dmpFilesize
1.5MB
-
memory/1176-64-0x0000000001190000-0x0000000001645000-memory.dmpFilesize
4.7MB
-
memory/1220-72-0x0000000000000000-mapping.dmp
-
memory/1416-67-0x0000000000000000-mapping.dmp
-
memory/1484-74-0x0000000000000000-mapping.dmp
-
memory/1968-70-0x0000000000000000-mapping.dmp