2ae040c377703befd082c782cb803da65e689b2455e2b9e3325d1ec23a0e5f2e

General

Target

c134382d4bf160b54162830b2a4734af.exe
Size

982KB
MD5

c134382d4bf160b54162830b2a4734af
SHA1

358a83ab3fa0e3ac71d4e10b373d495eba5b9ee0
SHA256

2ae040c377703befd082c782cb803da65e689b2455e2b9e3325d1ec23a0e5f2e
SHA512

00c49e9e3f739d94b6b108d89b4baf090e068637a5855d609a67b7d53f8b0ff89ea072160d7750763a646bc661d0bbdc3560959ffe0752267465979a64463afb
SSDEEP

24576:+NOA02F4zM0pu6cb2GZ2/n9yAemfQD/wuCeukFekYxwr:+8MkcfDi6/wuxYx+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2172	isass.exe

Loads dropped DLL 3 IoCs

pid	Process
2136	c134382d4bf160b54162830b2a4734af.exe
2136	c134382d4bf160b54162830b2a4734af.exe
2172	isass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\usnsvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\isass.exe\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2764	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2136	c134382d4bf160b54162830b2a4734af.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2412	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2172	isass.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2172	2136	c134382d4bf160b54162830b2a4734af.exe	28
PID 2136 wrote to memory of 2172	2136	c134382d4bf160b54162830b2a4734af.exe	28
PID 2136 wrote to memory of 2172	2136	c134382d4bf160b54162830b2a4734af.exe	28
PID 2136 wrote to memory of 2172	2136	c134382d4bf160b54162830b2a4734af.exe	28
PID 2172 wrote to memory of 2640	2172	isass.exe	30
PID 2172 wrote to memory of 2640	2172	isass.exe	30
PID 2172 wrote to memory of 2640	2172	isass.exe	30
PID 2172 wrote to memory of 2640	2172	isass.exe	30
PID 2640 wrote to memory of 2624	2640	cmd.exe	32
PID 2640 wrote to memory of 2624	2640	cmd.exe	32
PID 2640 wrote to memory of 2624	2640	cmd.exe	32
PID 2640 wrote to memory of 2624	2640	cmd.exe	32
PID 2624 wrote to memory of 2764	2624	cmd.exe	33
PID 2624 wrote to memory of 2764	2624	cmd.exe	33
PID 2624 wrote to memory of 2764	2624	cmd.exe	33
PID 2624 wrote to memory of 2764	2624	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\c134382d4bf160b54162830b2a4734af.exe
"C:\Users\Admin\AppData\Local\Temp\c134382d4bf160b54162830b2a4734af.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\Microsoft\isass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V usnsvc /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\isass.exe\"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V usnsvc /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\isass.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2764

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bayrak.jpg

Filesize
27KB

MD5
430328f78a3fdff15d80436d13527ea1

SHA1
38cb9c33c7b56bf21bf156d19c06ab49f4865cb5

SHA256
17fbc4326ae7c9fee4bfcfca5f2b165d536d3e5c59fb83aa0081f502283ec767

SHA512
fe038be2e18a55cc2ee9ddd8179ece5350b86519d3c06f5e3800556b20242e91094e07a2c607b34793b47098b486509fd1b970ad074b9e3114550f35d851c7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
153B

MD5
d1b8826e8a25950660f143aba7018138

SHA1
a10f066f5f78d703ae877bce81d40f1dfbf81a85

SHA256
3c778f89de4cd1edd5eac6000230a386745cf2fa07ca0dea5450c5c93ce214f4

SHA512
ee3a55330ea5b751c3882f24c206cd65db444abf3aafbb2c2c9ef2b821f06d1eb519b0e3adfe74ce18de583c58bc664ea349ea89fccfc2b88193ec74392d23c7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\isass.exe

Filesize
94KB

MD5
8ed769b8e0ebf86531f5cd051aa66a61

SHA1
4e96e600401196d20832062b670ae8f447725f55

SHA256
a709b662a97252e0cbf182f4efe22d43ce8676b7ce11379c8dfec4570fc065c5

SHA512
d157ce4a184e77570ba84549aac45fa6729bcee9adc2045be596c1844835ab7c5b3b908f622c667aabc1c99972b258347eea6350305ffa5078ec2795b59f48ee

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\ntldr.dll

Filesize
372KB

MD5
b5d304e4e2a67100a2cf443012ac7733

SHA1
6201c963b4a2d393bcf476e507175911386276e5

SHA256
40340f388ecd3b2456104989381e1792cedad9b516c19bbcb58a7ca60a1e3f16

SHA512
39281f513fc74e0f8d10006e5c89e68287b35d3b06f988dc7f79337b51948db4b0175499dbf7138268d874a9bc3e7cdbbfe3977d132bfc33e58e5bbb21b17c6d

Download Submit
memory/2136-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2136-12-0x0000000002240000-0x0000000002242000-memory.dmp

Filesize
8KB

Download
memory/2136-15-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2172-19-0x0000000000310000-0x0000000000372000-memory.dmp

Filesize
392KB

Download
memory/2172-29-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2412-13-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2412-14-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2412-31-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads