81592be7f2eac5060b6faacc7e93288034e8f2e534b55d8e2a96596eb321b95b

General

Target

fc6f5642b18f7b71cda09b59c3150058.exe
Size

213KB
MD5

fc6f5642b18f7b71cda09b59c3150058
SHA1

cb6937fc88652885b2c32cf6e26d9a298011a970
SHA256

81592be7f2eac5060b6faacc7e93288034e8f2e534b55d8e2a96596eb321b95b
SHA512

c6c40f512e2edbb2489c479173da42b9224c3d5230300da3ec72870f4c3c11026aa2c205ae94a8a36b1bdd41f46cef78b8af2e3067ec2539593aae871058693d
SSDEEP

6144:ztvBPnU1b7e9SQii1EkoNlhlrQ2ZrM2xN:Zv1nWdQP1EDhZPxN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2072	Isass.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	fc6f5642b18f7b71cda09b59c3150058.exe
3060	fc6f5642b18f7b71cda09b59c3150058.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	fc6f5642b18f7b71cda09b59c3150058.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	fc6f5642b18f7b71cda09b59c3150058.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	fc6f5642b18f7b71cda09b59c3150058.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3060	fc6f5642b18f7b71cda09b59c3150058.exe
2072	Isass.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2072	3060	fc6f5642b18f7b71cda09b59c3150058.exe	15
PID 3060 wrote to memory of 2072	3060	fc6f5642b18f7b71cda09b59c3150058.exe	15
PID 3060 wrote to memory of 2072	3060	fc6f5642b18f7b71cda09b59c3150058.exe	15
PID 3060 wrote to memory of 2072	3060	fc6f5642b18f7b71cda09b59c3150058.exe	15

C:\Users\Admin\AppData\Local\Temp\fc6f5642b18f7b71cda09b59c3150058.exe
"C:\Users\Admin\AppData\Local\Temp\fc6f5642b18f7b71cda09b59c3150058.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
1KB

MD5
08da4814d4ad95a79041c5f5cb10e5cc

SHA1
966baf2464aab0addbd39d116574fba6ef2a8c5b

SHA256
c8b7234310f2f7731eb816c53d8dc733e9b12eb516b029f500c81d34f3d6a323

SHA512
463f8f17cff7742e9fee454e52a21a928ea3a613b75bb159d6ac89c79258bb7d6f9232b98f269ec320590ec89f1390516ac17130f9566764e94690645c63bfb6

Download Submit
C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
4KB

MD5
4cc8e448a3a692282f75f86dbb6ddef9

SHA1
ba8ab59b8170802983ac0205a3b4069144a570f4

SHA256
1e5f527a0b8029e52779398e8edf245430f8266c1fb45eb827b07a600f42375e

SHA512
0dd095a4790be246ebdf98571c52f7c707b3c1d9f2306831705f415869545a5e8f77897976603c21fc73fea64239d11b5cc3fa50ae37646adc216c669de3ccae

Download Submit
\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
10KB

MD5
5b0c191e7d52c692f8fc17dde20940de

SHA1
aa205c107d613954bae48da8d56153c91d299fa7

SHA256
8dc33b56f97f2fe22b3bf44083d54e3b053ea9f30b9db63598d7f38223841120

SHA512
bc2b9bcdb269c5e8fc2135edc5ce2099dfd2852e9557248cc6ff1abf40bc36cd7b437bc4bace1f3748ff07b837d5e0d7c0520eeb80a1af0f8528fbd22c86db41

Download Submit
\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
4KB

MD5
c763b253a0249709d2343e3953402575

SHA1
bb239362f357d1fc45fa8a36fcf26e403f82162d

SHA256
2d3b49b53c6112395a180ea496f1b4d89fc8fba29e889f451bdb486da7d12104

SHA512
584a3a3a6c730496791d1dd5d231afae8707309cdfbc9f73fef30ce710dea3cec81a658af33dec561d3b9092d4fcff963fd4a1b9fea940f54cf7e29ddab39e11

Download Submit
memory/2072-37-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-54-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2072-87-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-86-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-14-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-15-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-16-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-85-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-38-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-39-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-12-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-61-0x00000000045A0000-0x0000000005847000-memory.dmp

Filesize
18.7MB

Download
memory/2072-62-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-67-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-82-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-83-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2072-84-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3060-9-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3060-11-0x0000000004230000-0x00000000054D7000-memory.dmp

Filesize
18.7MB

Download
memory/3060-10-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads