ec5b0c2e8f8d189266ac2a4aa3eb156491e74364d0818fefb6cb374f3f6d19aa

General

Target

01902ed02184df361f01e1d57012489b.exe
Size

242KB
MD5

01902ed02184df361f01e1d57012489b
SHA1

03de274d683d18c90349fc5f4a3fb9072af62c0b
SHA256

ec5b0c2e8f8d189266ac2a4aa3eb156491e74364d0818fefb6cb374f3f6d19aa
SHA512

90a7699b5fe04e05c5b3139253504dbb3f186bce22d6ea6f8b1fe5f8e0c82e46529fb00290524b9538fb9a39924e83ec2d142e43b82fda2f42eba52615685ac5
SSDEEP

6144:J1yUN7pmPUk9VMwXHOCgs+ej/4+zBNnmjf5WWjU:JQ8pQ96w+ns+GwoNnm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	01902ed02184df361f01e1d57012489b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	isass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	01902ed02184df361f01e1d57012489b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	isass.exe

Executes dropped EXE 1 IoCs

pid	Process
2168	isass.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	isass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	01902ed02184df361f01e1d57012489b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\imscmig = "C:\\Windows\\imscmig.exe"	01902ed02184df361f01e1d57012489b.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\isass.exe	01902ed02184df361f01e1d57012489b.exe
File opened for modification	C:\Windows\SysWOW64\isass.exe	01902ed02184df361f01e1d57012489b.exe
File opened for modification	C:\Windows\SysWOW64\isass	isass.exe
File created	C:\Windows\SysWOW64\isass.exe	isass.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	01902ed02184df361f01e1d57012489b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	isass.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2168	3048	01902ed02184df361f01e1d57012489b.exe	26
PID 3048 wrote to memory of 2168	3048	01902ed02184df361f01e1d57012489b.exe	26
PID 3048 wrote to memory of 2168	3048	01902ed02184df361f01e1d57012489b.exe	26

C:\Users\Admin\AppData\Local\Temp\01902ed02184df361f01e1d57012489b.exe
"C:\Users\Admin\AppData\Local\Temp\01902ed02184df361f01e1d57012489b.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\isass.exe
  C:\Windows\system32\isass.exe C:\Users\Admin\AppData\Local\Temp\01902ed02184df361f01e1d57012489b.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in System32 directory
  - Modifies registry class
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\isass.exe

Filesize
242KB

MD5
01902ed02184df361f01e1d57012489b

SHA1
03de274d683d18c90349fc5f4a3fb9072af62c0b

SHA256
ec5b0c2e8f8d189266ac2a4aa3eb156491e74364d0818fefb6cb374f3f6d19aa

SHA512
90a7699b5fe04e05c5b3139253504dbb3f186bce22d6ea6f8b1fe5f8e0c82e46529fb00290524b9538fb9a39924e83ec2d142e43b82fda2f42eba52615685ac5

Download Submit
memory/2168-8-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2168-9-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2168-11-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3048-0-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3048-1-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3048-7-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads