858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
Size

435KB
MD5

dde59803ad21998c769f45975bc028eb
SHA1

058b4c801773d6acd2e1a4a4d2fc51698090d05f
SHA256

858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3
SHA512

fc1debe4b2648c5f08d9ca5f2ab212009f847681cb6c0a37953806bec981869687f12b0e697305a526b1ba984309335fee56f19419fbc94cd5282d6141ce3171
SSDEEP

12288:gG4vQqF148+hgIWOMaAto70A1BbZq9kl4M:mr42KMaxp16M

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-56.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-58.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-61.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-60.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-63.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-62.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
592	Isass.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	upx
behavioral1/files/0x000500000000b2d2-56.dat	upx
behavioral1/files/0x000500000000b2d2-58.dat	upx
behavioral1/files/0x000500000000b2d2-61.dat	upx
behavioral1/files/0x000500000000b2d2-60.dat	upx
behavioral1/files/0x000500000000b2d2-63.dat	upx
behavioral1/files/0x000500000000b2d2-62.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
592	Isass.exe
592	Isass.exe
592	Isass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Isass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\irwftp = "C:\\windows\\system\\Isass.exe"	Isass.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\Filespro\Sales\Local\caps.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\senha_AMARELA.zip	Isass.exe
File created	C:\Windows\winnavps\bbb.bck	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\topo2.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\barra2-PROGRESS.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\cadeado.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\tela_caixa_assinatura.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\TV_PJ.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\topo2.bmp	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\campo_CX.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\err_bb.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\logo_BB.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\senha_GER.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\tela_Bradesco_senha.zip	Isass.exe
File created	C:\Windows\system\Isass.exe	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
File created	C:\Windows\Filespro\Sales\Local\barra_progress.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\bt_confirma.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\barra_brad.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\bt_retornaCX.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\logoPF.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\teclado_CX.zip	Isass.exe
File created	C:\Windows\Filespro\Sales\Local\tela2_BB.zip	Isass.exe
File opened for modification	C:\Windows\system\Isass.exe	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
File created	C:\Windows\system\cartao.html	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
File opened for modification	C:\Windows\system\cartao.html	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
File created	C:\Windows\Filespro\Sales\Local\tela_brad_sencartao.zip	Isass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 202d14c45f09d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cf0153bd0efb0d49871460f84dbf78bd0000000002000000000010660000000100002000000083041c0b70ea8d594da180bb4d61a71e6b38ada7ef0cb79764a8732ef210c58d000000000e800000000200002000000072cb9aad82e14254b46db5fe6919eda337c270fa20c480e01494c5287f4ba1eb200000006bf06e685f92d05bee5fc8766e200dc4adc5f5ff4024e1b8fc593dc333ca094740000000313e9c082dfbfe1b3be95a6fbaacc7e88bbc7601ff611b77c582ddde5767caff82266e82dbdf04c792cc92ca25cd4d8ae5f6c3971ff6f3068cd3d2e4dfd34018	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cf0153bd0efb0d49871460f84dbf78bd0000000002000000000010660000000100002000000019f9de9474311c95b681c5f58520f381eb447c2b8cadaf7594813a0e08ab3025000000000e80000000020000200000005538485b5d85a1a30eb4debc0903a08e7bd52ac13f0a1b910d6af355f27f9d2a900000007d2e36588461a848affa8acd97f931f9669b5baa787623739fd6d7032f011534992d95dafd8aeb66f7f1c962b553ea8d589eceb3581c7f40b6f961da656bceefe521d0d2faf2d79d4866773a0defbb228d5d449fe589afb6ea9259ed4f2058fea7e78c90c304d10464a5c324bb7c6f8edcd1b00e8cb750c2c0f29d73f871fe15d4424bd223b96bde7c32da946b06b729400000006540d7c6f0a2c3b831c85113035ff66e6ff4dc6282d520e793aa320117c595bc94ec7d76345138d17861691f689ec88743a15f0e6f1d3d778f317d89f0f0412f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FAE8EB11-7552-11ED-BBEB-FA28CBED7ACF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377088452"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Isass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Isass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Isass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Isass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Isass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Isass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Isass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
592	Isass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
Token: SeBackupPrivilege	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
816	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
816	iexplore.exe
816	iexplore.exe
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 592	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	27
PID 992 wrote to memory of 592	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	27
PID 992 wrote to memory of 592	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	27
PID 992 wrote to memory of 592	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	27
PID 992 wrote to memory of 592	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	27
PID 992 wrote to memory of 592	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	27
PID 992 wrote to memory of 592	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	27
PID 992 wrote to memory of 816	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	28
PID 992 wrote to memory of 816	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	28
PID 992 wrote to memory of 816	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	28
PID 992 wrote to memory of 816	992	858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe	28
PID 816 wrote to memory of 1028	816	iexplore.exe	30
PID 816 wrote to memory of 1028	816	iexplore.exe	30
PID 816 wrote to memory of 1028	816	iexplore.exe	30
PID 816 wrote to memory of 1028	816	iexplore.exe	30
PID 816 wrote to memory of 1028	816	iexplore.exe	30
PID 816 wrote to memory of 1028	816	iexplore.exe	30
PID 816 wrote to memory of 1028	816	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
"C:\Users\Admin\AppData\Local\Temp\858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992
- C:\windows\system\Isass.exe
  "C:\windows\system\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  PID:592
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\windows\system\cartao.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92e3a0c7a5ba35f16fde2166d7da0b0d

SHA1
9688a27a9ce5f8338b3cd555fac9500a947427c9

SHA256
e018076f8a5c61a2bf2375f5fc3acf3e42531a06e8186ccb1a8202641d76d86e

SHA512
31760f5d922030db57fd02e95e5c09f973caf5d8e353d07ba95252939a6efaf70e1d5ec90d595135556f8336c641983dfda1e0af268b6f94ca81a8ee6e6b58f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YR60PAS1.txt

Filesize
608B

MD5
a13b74e849b253652b1ec9a6f9b5e51e

SHA1
5d4f9176dde67228ad5eea0b95b95f226b21bcce

SHA256
b7ac35452942e8100e4e8071cb4f21d45f571d85d0259d4341a663e72143bb0c

SHA512
c2c707ff2a428b91581d6760e1c3e4f2ffa9d205b1f55bb6bdb1ada6940663765b2a505d7561905a88fea4d1ba572dcc6612e78afbef76412e919a9ac8fdc1b6

Download Submit
C:\Windows\system\Isass.exe

Filesize
374KB

MD5
8e84e918828c24aa20163f099802eda1

SHA1
db2a492e3b1cd9f137bdb8567578e5116b321342

SHA256
db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

SHA512
68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

Download Submit
C:\Windows\system\cartao.html

Filesize
68B

MD5
2152787342b7e99c8c6adc6a2430183c

SHA1
f9a8dab3a4a08fe6af0eadcef06747cbd9c5dc11

SHA256
fcd6ab594cf573d80609fb22ed43db08607c32da469ce930f783668b25146775

SHA512
83489261f15bc9f2352a9246686cf2a091d078d90344975acaac1658743b9a5176ab36b53bbba04c1a75dd1fb6076c029cc723111d0565bb940ec5ea0d0d9511

Download Submit
C:\windows\system\Isass.exe

Filesize
374KB

MD5
8e84e918828c24aa20163f099802eda1

SHA1
db2a492e3b1cd9f137bdb8567578e5116b321342

SHA256
db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

SHA512
68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

Download Submit
\Windows\system\Isass.exe

Filesize
374KB

MD5
8e84e918828c24aa20163f099802eda1

SHA1
db2a492e3b1cd9f137bdb8567578e5116b321342

SHA256
db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

SHA512
68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

Download Submit
\Windows\system\Isass.exe

Filesize
374KB

MD5
8e84e918828c24aa20163f099802eda1

SHA1
db2a492e3b1cd9f137bdb8567578e5116b321342

SHA256
db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

SHA512
68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

Download Submit
\Windows\system\Isass.exe

Filesize
374KB

MD5
8e84e918828c24aa20163f099802eda1

SHA1
db2a492e3b1cd9f137bdb8567578e5116b321342

SHA256
db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

SHA512
68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

Download Submit
\Windows\system\Isass.exe

Filesize
374KB

MD5
8e84e918828c24aa20163f099802eda1

SHA1
db2a492e3b1cd9f137bdb8567578e5116b321342

SHA256
db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

SHA512
68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

Download Submit
\Windows\system\Isass.exe

Filesize
374KB

MD5
8e84e918828c24aa20163f099802eda1

SHA1
db2a492e3b1cd9f137bdb8567578e5116b321342

SHA256
db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

SHA512
68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

Download Submit
memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads