Analysis Overview
SHA256
6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c
Threat Level: Known bad
The file 6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 22:02
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 22:02
Reported
2024-04-06 22:05
Platform
win7-20240319-en
Max time kernel
131s
Max time network
136s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
Network
Files
\Users\Public\Microsoft Build\Isass.exe
| MD5 | d07cbcbe4256c9a58b1405e8eb434a12 |
| SHA1 | 195338569378a407391a5a869f40bd62e4d82220 |
| SHA256 | 5128caa2869ebec814e00512c3b8dd00aa4bfd2774f663d7368105f5abb63461 |
| SHA512 | 73501f0fd0574fb0b94633cfec6fb9e7c7eef816e13c068c1a0d3cb9806252646a709002c8443679a30cba99adf1a5149aa04ca2d8be6b89ae9435905826f46e |
memory/2004-8-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2004-10-0x0000000004260000-0x0000000005508000-memory.dmp
memory/2004-12-0x0000000004260000-0x0000000005508000-memory.dmp
memory/2852-16-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2004-14-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2004-17-0x0000000004860000-0x0000000005B08000-memory.dmp
memory/1580-18-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-19-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1580-20-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1580-25-0x0000000004C00000-0x0000000005EA8000-memory.dmp
memory/3008-27-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2556-26-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2556-28-0x00000000047C0000-0x0000000005A68000-memory.dmp
memory/2680-32-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2680-33-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2552-34-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2460-38-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2680-40-0x00000000047C0000-0x0000000005A68000-memory.dmp
memory/2688-39-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2428-49-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2404-69-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2724-65-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-73-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/796-82-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1872-77-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/796-85-0x00000000047F0000-0x0000000005A98000-memory.dmp
memory/796-81-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2496-80-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1872-83-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2696-76-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1632-71-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1520-72-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/880-64-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/344-87-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/344-90-0x0000000004820000-0x0000000005AC8000-memory.dmp
memory/344-88-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1640-91-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1640-92-0x0000000004850000-0x0000000005AF8000-memory.dmp
memory/2752-93-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2752-97-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1656-98-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2752-94-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2404-70-0x00000000047B0000-0x0000000005A58000-memory.dmp
memory/2476-58-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2500-63-0x00000000048C0000-0x0000000005B68000-memory.dmp
memory/2500-54-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2428-53-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2404-68-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2596-60-0x00000000047E0000-0x0000000005A88000-memory.dmp
memory/2752-102-0x00000000047D0000-0x0000000005A78000-memory.dmp
memory/1772-105-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/836-104-0x0000000004820000-0x0000000005AC8000-memory.dmp
memory/2812-109-0x0000000004880000-0x0000000005B28000-memory.dmp
memory/2184-111-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2852-112-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2812-115-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2184-110-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2184-117-0x0000000004BD0000-0x0000000005E78000-memory.dmp
memory/2812-108-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/836-101-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-118-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1736-122-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1736-125-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2000-124-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1736-126-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2184-120-0x0000000004BD0000-0x0000000005E78000-memory.dmp
memory/2680-127-0x00000000047C0000-0x0000000005A68000-memory.dmp
memory/2688-128-0x00000000048D0000-0x0000000005B78000-memory.dmp
memory/2476-55-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2688-52-0x00000000048D0000-0x0000000005B78000-memory.dmp
memory/2596-46-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2552-47-0x0000000004810000-0x0000000005AB8000-memory.dmp
memory/2688-51-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2324-132-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2460-133-0x0000000004860000-0x0000000005B08000-memory.dmp
memory/2552-134-0x0000000004810000-0x0000000005AB8000-memory.dmp
memory/432-136-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/432-135-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2460-45-0x0000000004860000-0x0000000005B08000-memory.dmp
memory/2752-138-0x00000000047D0000-0x0000000005A78000-memory.dmp
memory/432-139-0x0000000004BD0000-0x0000000005E78000-memory.dmp
memory/1400-140-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2184-144-0x0000000004BD0000-0x0000000005E78000-memory.dmp
memory/1400-143-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2880-146-0x0000000004BE0000-0x0000000005E88000-memory.dmp
memory/2880-145-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2448-44-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2596-43-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2552-35-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1084-152-0x00000000003B0000-0x00000000003B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
| MD5 | 40e6081a84568a750c469df520dd0ae1 |
| SHA1 | fcc160e9f213a7ce674861c9f4efab2b9f0b13d5 |
| SHA256 | b33db48ce11539130b143caa2eec3a38c439de13a2aeffed07cb9b89bcc82fd4 |
| SHA512 | 91feb528a2c033d0f5261a6c244b640a988d1a42caf0b8bd144a458555a1172e9ac7b23d2ff9304366559008cf3f92445ce59398a3756c0ed3ef343b824f82a2 |
memory/1084-156-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1388-160-0x0000000004B20000-0x0000000005DC8000-memory.dmp
memory/2852-167-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-168-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-176-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-177-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-183-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-184-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-195-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-196-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-204-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2852-205-0x0000000000400000-0x00000000016A8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 22:02
Reported
2024-04-06 22:05
Platform
win10v2004-20240226-en
Max time kernel
21s
Max time network
26s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2152 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe | C:\Users\Public\Microsoft Build\Isass.exe |
| PID 2152 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe | C:\Users\Public\Microsoft Build\Isass.exe |
| PID 2152 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe | C:\Users\Public\Microsoft Build\Isass.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ba4fec5da19fee332e609af370d33543bdf4881408d9e85e1786528fbaacb1c.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
Files
memory/2152-1-0x0000000000400000-0x00000000016A8000-memory.dmp
C:\Users\Public\Microsoft Build\Isass.exe
| MD5 | d07cbcbe4256c9a58b1405e8eb434a12 |
| SHA1 | 195338569378a407391a5a869f40bd62e4d82220 |
| SHA256 | 5128caa2869ebec814e00512c3b8dd00aa4bfd2774f663d7368105f5abb63461 |
| SHA512 | 73501f0fd0574fb0b94633cfec6fb9e7c7eef816e13c068c1a0d3cb9806252646a709002c8443679a30cba99adf1a5149aa04ca2d8be6b89ae9435905826f46e |
memory/2420-5-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2420-7-0x0000000001A70000-0x0000000001A71000-memory.dmp
memory/2152-6-0x0000000003E50000-0x0000000003E51000-memory.dmp
memory/2152-9-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1400-10-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1400-11-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/1400-12-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/3972-13-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/3972-14-0x0000000001A50000-0x0000000001A51000-memory.dmp
memory/3972-16-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/4816-18-0x0000000001CD0000-0x0000000001CD1000-memory.dmp
memory/4816-17-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/4640-19-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2420-21-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/4640-23-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/4640-22-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/4592-24-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/4592-25-0x0000000000180000-0x0000000000181000-memory.dmp
memory/4592-26-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2704-27-0x0000000001C00000-0x0000000001C01000-memory.dmp
memory/2704-29-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/1932-30-0x0000000001B50000-0x0000000001B51000-memory.dmp
memory/1932-31-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/2420-32-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/4132-33-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/4132-34-0x0000000002000000-0x0000000002001000-memory.dmp
memory/3532-37-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/3532-38-0x0000000001A70000-0x0000000001A71000-memory.dmp
memory/4272-40-0x0000000000400000-0x00000000016A8000-memory.dmp
memory/4272-41-0x00000000019C0000-0x00000000019C1000-memory.dmp
C:\Users\Public\Microsoft Build\Isass.exe
| MD5 | bf795842926d1d3dc456b701c438a95d |
| SHA1 | b12decc9f964b5d875952a35b2908a80ccc839e4 |
| SHA256 | 060867801a7b7403fba43ee36a4b05347ce6df0642e89a9bdefa617b939af0a9 |
| SHA512 | f535dbbc2ce4b9a84e809617d00dba3d195dc1a64063878e67c98c4564675850771ea75548052fb4379e3aef0738fdc06561f0369b03bf15c7bda4c7fb12a84e |