8927d326ece1989deede7cc84ecbca6f8816e6e8c05688ddd5a668496ca200b8

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b985240a0f1a4a4ec627b86387121d10.exe
Size

211KB
MD5

b985240a0f1a4a4ec627b86387121d10
SHA1

cdda9ef0f13fbf21eabfd9f01c1afdcaa106e9e8
SHA256

8927d326ece1989deede7cc84ecbca6f8816e6e8c05688ddd5a668496ca200b8
SHA512

de7830bd322dc11dec289d6021783971e6e1f51b0a32d4ec8f7f4a74130bf09f5c9436c58d58243ac77c027c0b2c0a660627a4c23aa853671bd4115ff196dc62
SSDEEP

3072:EPUHpiKT2t2UHIu05W7SAFJJOUD9cckiKop97f3r8n9t9Ygnt:9rTfUHeeSKOS9ccFKk3Y9t9Y

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
768	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	NEAS.b985240a0f1a4a4ec627b86387121d10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	NEAS.b985240a0f1a4a4ec627b86387121d10.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3712	NEAS.b985240a0f1a4a4ec627b86387121d10.exe
3712	NEAS.b985240a0f1a4a4ec627b86387121d10.exe
768	Isass.exe
768	Isass.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1052	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 768	3712	NEAS.b985240a0f1a4a4ec627b86387121d10.exe	86
PID 3712 wrote to memory of 768	3712	NEAS.b985240a0f1a4a4ec627b86387121d10.exe	86
PID 3712 wrote to memory of 768	3712	NEAS.b985240a0f1a4a4ec627b86387121d10.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.b985240a0f1a4a4ec627b86387121d10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b985240a0f1a4a4ec627b86387121d10.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:768

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
d93c1590a58b8c19f869959dcfcbd301

SHA1
3ef5541560c73c8eb17917f594bfd4aa62daf0c5

SHA256
7ba95acc89731d4f0276cddb5d99c3e58998c24520c827df5c8fdb9b5f092ef9

SHA512
04f10949898f7e3da364e514a3b1e16f99f6c06d485840f9ed09ceffcf0b188ffaa131a7546afae572c3bfe6104aa35d0e61b5d3b6292459c482a24b63270194

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
211KB

MD5
b985240a0f1a4a4ec627b86387121d10

SHA1
cdda9ef0f13fbf21eabfd9f01c1afdcaa106e9e8

SHA256
8927d326ece1989deede7cc84ecbca6f8816e6e8c05688ddd5a668496ca200b8

SHA512
de7830bd322dc11dec289d6021783971e6e1f51b0a32d4ec8f7f4a74130bf09f5c9436c58d58243ac77c027c0b2c0a660627a4c23aa853671bd4115ff196dc62

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
211KB

MD5
b985240a0f1a4a4ec627b86387121d10

SHA1
cdda9ef0f13fbf21eabfd9f01c1afdcaa106e9e8

SHA256
8927d326ece1989deede7cc84ecbca6f8816e6e8c05688ddd5a668496ca200b8

SHA512
de7830bd322dc11dec289d6021783971e6e1f51b0a32d4ec8f7f4a74130bf09f5c9436c58d58243ac77c027c0b2c0a660627a4c23aa853671bd4115ff196dc62

Download Submit
C:\odt\office2016setup.exe

Filesize
5.3MB

MD5
d89791d1ef0c04d497180beda7a5ca72

SHA1
803f4b4af008a8dce40fd5a61acff91b07e19245

SHA256
047570bc00808da1519b38430b2aaa0f63e846707ab6dcaa45b24f5f2ec92ae7

SHA512
d9d6b51fe56b4df6686ce9866690ec7628846944c132c2fa2f08f973cd7d54c0671ae897a5d172599da1beb3fb5073b8ec7491f859a16f3b6408fd4736bb12a4

Download Submit
memory/768-15-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-34-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-8-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/768-9-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-33-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-16-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-17-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-7-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-19-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-22-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-27-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-28-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/768-32-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1052-62-0x00000200C1F40000-0x00000200C1F50000-memory.dmp

Filesize
64KB

Download
memory/1052-87-0x00000200CA4C0000-0x00000200CA4C1000-memory.dmp

Filesize
4KB

Download
memory/1052-46-0x00000200C1E40000-0x00000200C1E50000-memory.dmp

Filesize
64KB

Download
memory/1052-114-0x00000200CA340000-0x00000200CA341000-memory.dmp

Filesize
4KB

Download
memory/1052-78-0x00000200CA4A0000-0x00000200CA4A1000-memory.dmp

Filesize
4KB

Download
memory/1052-79-0x00000200CA4B0000-0x00000200CA4B1000-memory.dmp

Filesize
4KB

Download
memory/1052-80-0x00000200CA4B0000-0x00000200CA4B1000-memory.dmp

Filesize
4KB

Download
memory/1052-81-0x00000200CA4B0000-0x00000200CA4B1000-memory.dmp

Filesize
4KB

Download
memory/1052-82-0x00000200CA4B0000-0x00000200CA4B1000-memory.dmp

Filesize
4KB

Download
memory/1052-83-0x00000200CA4B0000-0x00000200CA4B1000-memory.dmp

Filesize
4KB

Download
memory/1052-84-0x00000200CA4B0000-0x00000200CA4B1000-memory.dmp

Filesize
4KB

Download
memory/1052-85-0x00000200CA4B0000-0x00000200CA4B1000-memory.dmp

Filesize
4KB

Download
memory/1052-86-0x00000200CA4C0000-0x00000200CA4C1000-memory.dmp

Filesize
4KB

Download
memory/1052-113-0x00000200CA230000-0x00000200CA231000-memory.dmp

Filesize
4KB

Download
memory/1052-88-0x00000200CA4C0000-0x00000200CA4C1000-memory.dmp

Filesize
4KB

Download
memory/1052-89-0x00000200CA100000-0x00000200CA101000-memory.dmp

Filesize
4KB

Download
memory/1052-90-0x00000200CA0F0000-0x00000200CA0F1000-memory.dmp

Filesize
4KB

Download
memory/1052-92-0x00000200CA100000-0x00000200CA101000-memory.dmp

Filesize
4KB

Download
memory/1052-95-0x00000200CA0F0000-0x00000200CA0F1000-memory.dmp

Filesize
4KB

Download
memory/1052-98-0x00000200C17E0000-0x00000200C17E1000-memory.dmp

Filesize
4KB

Download
memory/1052-112-0x00000200CA230000-0x00000200CA231000-memory.dmp

Filesize
4KB

Download
memory/1052-110-0x00000200CA220000-0x00000200CA221000-memory.dmp

Filesize
4KB

Download
memory/3712-1-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/3712-6-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3712-0-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download