Analysis
-
max time kernel
151s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 07:09
Static task
static1
Behavioral task
behavioral1
Sample
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
Resource
win10v2004-20220414-en
General
-
Target
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
-
Size
2.1MB
-
MD5
afbf38eb9f1cae4703aa9ffc1e37ec65
-
SHA1
6b58fa4ffcfa1198c89cefb846975c8d5263855a
-
SHA256
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e
-
SHA512
5e5ec46a1ffbcf41d7f1885384111c163b20814ee1c308d8215511dbb41447d50bf1eec6d3f10261610fea4d4add7f409fd8a286e47f13d3c2a85d723dd09d6e
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Isass.exe -
Executes dropped EXE 1 IoCs
Processes:
Isass.exepid process 4616 Isass.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Isass.exe3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Isass.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Isass.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Isass.exe -
Drops startup file 1 IoCs
Processes:
cscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Isass.lnk cscript.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine Isass.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Isass.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows_Antimalware_Host_Syst = "C:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\Isass.exe" Isass.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exepid process 4552 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe 4616 Isass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5056 schtasks.exe 2388 schtasks.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4836 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exepid process 4552 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe 4552 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe 4616 Isass.exe 4616 Isass.exe 4616 Isass.exe 4616 Isass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 4836 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.execmd.exeIsass.execmd.exedescription pid process target process PID 4552 wrote to memory of 4616 4552 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Isass.exe PID 4552 wrote to memory of 4616 4552 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Isass.exe PID 4552 wrote to memory of 4616 4552 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe Isass.exe PID 4552 wrote to memory of 5036 4552 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe cmd.exe PID 4552 wrote to memory of 5036 4552 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe cmd.exe PID 4552 wrote to memory of 5036 4552 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe cmd.exe PID 5036 wrote to memory of 4836 5036 cmd.exe taskkill.exe PID 5036 wrote to memory of 4836 5036 cmd.exe taskkill.exe PID 5036 wrote to memory of 4836 5036 cmd.exe taskkill.exe PID 4616 wrote to memory of 5056 4616 Isass.exe schtasks.exe PID 4616 wrote to memory of 5056 4616 Isass.exe schtasks.exe PID 4616 wrote to memory of 5056 4616 Isass.exe schtasks.exe PID 4616 wrote to memory of 2388 4616 Isass.exe schtasks.exe PID 4616 wrote to memory of 2388 4616 Isass.exe schtasks.exe PID 4616 wrote to memory of 2388 4616 Isass.exe schtasks.exe PID 4616 wrote to memory of 1552 4616 Isass.exe cmd.exe PID 4616 wrote to memory of 1552 4616 Isass.exe cmd.exe PID 4616 wrote to memory of 1552 4616 Isass.exe cmd.exe PID 1552 wrote to memory of 1664 1552 cmd.exe cscript.exe PID 1552 wrote to memory of 1664 1552 cmd.exe cscript.exe PID 1552 wrote to memory of 1664 1552 cmd.exe cscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe"C:\Users\Admin\AppData\Local\Temp\3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe"C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 30 /TN "Windows_Antimalware_Host" /TR "C:\ProgramData\WindowsAppCertification\checker.vbs" /F3⤵
- Creates scheduled task(s)
PID:5056 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 5 /TN "Windows_Antimalware_Host_Systm" /TR "C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe" /F3⤵
- Creates scheduled task(s)
PID:2388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Set oWS = WScript.CreateObject("WScript.Shell") > CreateShortcut.vbs & echo sLinkFile = "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Isass.lnk" >> CreateShortcut.vbs & echo Set oLink = oWS.CreateShortcut(sLinkFile) >> CreateShortcut.vbs & echo oLink.TargetPath = "C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe" >> CreateShortcut.vbs & echo oLink.Save >> CreateShortcut.vbs & cscript CreateShortcut.vbs & del CreateShortcut.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\cscript.execscript CreateShortcut.vbs4⤵
- Drops startup file
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe /f & erase C:\Users\Admin\AppData\Local\Temp\3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exeFilesize
2.1MB
MD5afbf38eb9f1cae4703aa9ffc1e37ec65
SHA16b58fa4ffcfa1198c89cefb846975c8d5263855a
SHA2563e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e
SHA5125e5ec46a1ffbcf41d7f1885384111c163b20814ee1c308d8215511dbb41447d50bf1eec6d3f10261610fea4d4add7f409fd8a286e47f13d3c2a85d723dd09d6e
-
C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exeFilesize
2.1MB
MD5afbf38eb9f1cae4703aa9ffc1e37ec65
SHA16b58fa4ffcfa1198c89cefb846975c8d5263855a
SHA2563e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e
SHA5125e5ec46a1ffbcf41d7f1885384111c163b20814ee1c308d8215511dbb41447d50bf1eec6d3f10261610fea4d4add7f409fd8a286e47f13d3c2a85d723dd09d6e
-
C:\Users\Admin\AppData\Local\Temp\CreateShortcut.vbsFilesize
301B
MD53d15afe532f8557346923c203c3ac844
SHA19fe087e6f38776dedb070ad49685c16e37580f0c
SHA256e09cdf3b409359ce825a2f2d7374bfc0e2ec73918c0b8a99bf82020983b5f061
SHA5129237ab885672933005fc1b0a7794f615336da16981a7e1e5d2b4821e3c443a3a608658c144b41b61334eba2284e79b2ace5a6df2ffc73709d2c83d5f0a40bfd0
-
memory/1552-146-0x0000000000000000-mapping.dmp
-
memory/1664-149-0x0000000000000000-mapping.dmp
-
memory/2388-145-0x0000000000000000-mapping.dmp
-
memory/4552-130-0x00000000001B0000-0x0000000000665000-memory.dmpFilesize
4.7MB
-
memory/4552-133-0x0000000077980000-0x0000000077B23000-memory.dmpFilesize
1.6MB
-
memory/4552-131-0x0000000077980000-0x0000000077B23000-memory.dmpFilesize
1.6MB
-
memory/4552-139-0x00000000001B0000-0x0000000000665000-memory.dmpFilesize
4.7MB
-
memory/4552-140-0x0000000077980000-0x0000000077B23000-memory.dmpFilesize
1.6MB
-
memory/4552-132-0x00000000001B0000-0x0000000000665000-memory.dmpFilesize
4.7MB
-
memory/4616-137-0x0000000000AC0000-0x0000000000F75000-memory.dmpFilesize
4.7MB
-
memory/4616-142-0x0000000077980000-0x0000000077B23000-memory.dmpFilesize
1.6MB
-
memory/4616-134-0x0000000000000000-mapping.dmp
-
memory/4616-143-0x0000000000AC0000-0x0000000000F75000-memory.dmpFilesize
4.7MB
-
memory/4616-147-0x0000000077980000-0x0000000077B23000-memory.dmpFilesize
1.6MB
-
memory/4616-148-0x0000000000AC0000-0x0000000000F75000-memory.dmpFilesize
4.7MB
-
memory/4836-141-0x0000000000000000-mapping.dmp
-
memory/5036-138-0x0000000000000000-mapping.dmp
-
memory/5056-144-0x0000000000000000-mapping.dmp