81592be7f2eac5060b6faacc7e93288034e8f2e534b55d8e2a96596eb321b95b

Analysis

max time kernel
55s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc6f5642b18f7b71cda09b59c3150058.exe
Size

213KB
MD5

fc6f5642b18f7b71cda09b59c3150058
SHA1

cb6937fc88652885b2c32cf6e26d9a298011a970
SHA256

81592be7f2eac5060b6faacc7e93288034e8f2e534b55d8e2a96596eb321b95b
SHA512

c6c40f512e2edbb2489c479173da42b9224c3d5230300da3ec72870f4c3c11026aa2c205ae94a8a36b1bdd41f46cef78b8af2e3067ec2539593aae871058693d
SSDEEP

6144:ztvBPnU1b7e9SQii1EkoNlhlrQ2ZrM2xN:Zv1nWdQP1EDhZPxN

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
464	Isass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	fc6f5642b18f7b71cda09b59c3150058.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	fc6f5642b18f7b71cda09b59c3150058.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	fc6f5642b18f7b71cda09b59c3150058.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
980	464	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4232	fc6f5642b18f7b71cda09b59c3150058.exe
4232	fc6f5642b18f7b71cda09b59c3150058.exe
464	Isass.exe
464	Isass.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 464	4232	fc6f5642b18f7b71cda09b59c3150058.exe	31
PID 4232 wrote to memory of 464	4232	fc6f5642b18f7b71cda09b59c3150058.exe	31
PID 4232 wrote to memory of 464	4232	fc6f5642b18f7b71cda09b59c3150058.exe	31

C:\Users\Admin\AppData\Local\Temp\fc6f5642b18f7b71cda09b59c3150058.exe
"C:\Users\Admin\AppData\Local\Temp\fc6f5642b18f7b71cda09b59c3150058.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 980
    3⤵
    - Program crash
    PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 464 -ip 464
1⤵
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
92KB

MD5
12a8fe5b30eeb8c8fce0d289380efe9e

SHA1
be7a5491234a1d36edc6f69e1385c4e8a37650a5

SHA256
188118e0d699312f6113a51e5e67b61c0496d4c4e69bba5cdc561471bff2fd74

SHA512
a63efb7a7f2da05d836d5e466d264c02846356aa4355b358c5ec1ac554c29eef36050514fc49795a3eb9361d9b415b1833b295961b835be78811d1fb813cd14a

Download Submit
memory/464-11-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-15-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-6-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-7-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/464-33-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-9-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-10-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-34-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-26-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-22-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-12-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-23-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-24-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/464-25-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4232-1-0x0000000001880000-0x0000000001881000-memory.dmp

Filesize
4KB

Download
memory/4232-0-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4232-8-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download