4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382

General

Target

4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe
Size

213KB
MD5

f8ff38f33ff5305c3516e12f3bceb368
SHA1

a70237cfd46f6256c9ff8dfcd64c6da6edc999ec
SHA256

4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382
SHA512

9b8ea5995f965561a4cf792d91ebad11c6fe543ac3c9d1e6fdf0b2d9af65f57e078b1c1387684180149d2e86e9209edc215092e421fea4f62ed8a5ec03d405e8
SSDEEP

6144:ztvBPnU1b7e9SQii1EkoNlhlrQ2ZrM2xF:Zv1nWdQP1EDhZPxF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2536	Isass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2020	4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe
2020	4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe
2536	Isass.exe
2536	Isass.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2536	2020	4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe	97
PID 2020 wrote to memory of 2536	2020	4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe	97
PID 2020 wrote to memory of 2536	2020	4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe	97

C:\Users\Admin\AppData\Local\Temp\4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe
"C:\Users\Admin\AppData\Local\Temp\4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
f8ff38f33ff5305c3516e12f3bceb368

SHA1
a70237cfd46f6256c9ff8dfcd64c6da6edc999ec

SHA256
4ec22c5c9d888551a31f7be78deacfeb5ff20abef7d3a7c811ab21f1eac59382

SHA512
9b8ea5995f965561a4cf792d91ebad11c6fe543ac3c9d1e6fdf0b2d9af65f57e078b1c1387684180149d2e86e9209edc215092e421fea4f62ed8a5ec03d405e8

Download Submit
C:\odt\office2016setup.exe

Filesize
640KB

MD5
8f8b55be221b59e7e4cadf180ad939d7

SHA1
2c193cb2adae5ed3a5c0d70848bf30fb072bdf5b

SHA256
62a141e70fc12873b628ffb275bcd652ae13d2e6ff2d14b52520a732b7c2ab67

SHA512
0132aa4b1a9277837941d00aeae21052277dd52a694a1730d460b0cc033eee6ce46a4282513dc88b89290d219efb3d03cc48ae51a79747cad6ff39cda54c1755

Download Submit
memory/2020-8-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2020-1-0x00000000019A0000-0x00000000019A1000-memory.dmp

Filesize
4KB

Download
memory/2020-0-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-15-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-19-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-10-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-11-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-14-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-7-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/2536-16-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-17-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-18-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-9-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-20-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-6-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-22-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-23-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-30-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-33-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2536-37-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads