Malware Analysis Report

2025-03-14 23:06

Sample ID 240406-3vw9rsfc96
Target 9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253
SHA256 9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253

Threat Level: Shows suspicious behavior

The file 9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:50

Reported

2024-04-06 23:53

Platform

win7-20240221-en

Max time kernel

131s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe C:\Program Files (x86)\Microsoft Build\Isass.exe
PID 1688 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe C:\Program Files (x86)\Microsoft Build\Isass.exe
PID 1688 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe C:\Program Files (x86)\Microsoft Build\Isass.exe
PID 1688 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe C:\Program Files (x86)\Microsoft Build\Isass.exe
PID 1688 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe C:\Users\Admin\AppData\Local\Temp\YU_9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe
PID 1688 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe C:\Users\Admin\AppData\Local\Temp\YU_9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe
PID 1688 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe C:\Users\Admin\AppData\Local\Temp\YU_9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe
PID 1688 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe C:\Users\Admin\AppData\Local\Temp\YU_9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe

"C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe"

C:\Program Files (x86)\Microsoft Build\Isass.exe

"C:\Program Files (x86)\Microsoft Build\Isass.exe"

C:\Users\Admin\AppData\Local\Temp\YU_9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe

"C:\Users\Admin\AppData\Local\Temp\YU_9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe"

Network

N/A

Files

C:\Program Files (x86)\Microsoft Build\Isass.exe

MD5 f0c9b574e6942295caa7e76f4c09ebd6
SHA1 8f11d5daaadd0ec583c206b2b53cebd1fb5f1ed3
SHA256 1d49700b72a1dd6c3cc74221a2421066dfc1703e3a8749e37c00bde98fcacea7
SHA512 b8e86ca1be479c6a9ef35b331f53c6a0fa1350065c9ab9ac3236d22f53a37383f1b0ad73b23b59259837dda4a3b701450da1ab958319e7974cc371f546c3a972

memory/1688-9-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/1688-11-0x0000000003EF0000-0x0000000005197000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YU_9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe

MD5 d2778164ef643ba8f44cc202ec7ef157
SHA1 31eee7114eed6b0d2fb77c9f3605057639050786
SHA256 28b001bb9a72ae7a24242bfab248d767a1ac5dec981c672a3944f7a072375e9a
SHA512 cb2a5a2aeba9d6f6bfc4a3a4576961244c109aafb59f02134b03ebac4d16602ee7f141cc4adc519f15030c20e7e7d6585778870706b2ea4c74c1161729101635

memory/1688-20-0x0000000003EF0000-0x0000000005197000-memory.dmp

memory/2224-22-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-23-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1688-24-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1688-18-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-25-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-26-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-27-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-28-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-29-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-30-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-31-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-32-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-33-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-34-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-35-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-36-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-37-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2224-38-0x0000000000400000-0x00000000016A7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:50

Reported

2024-04-06 23:53

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Microsoft Build\Isass.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe

"C:\Users\Admin\AppData\Local\Temp\9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe"

C:\Program Files (x86)\Microsoft Build\Isass.exe

"C:\Program Files (x86)\Microsoft Build\Isass.exe"

C:\Users\Admin\AppData\Local\Temp\TC_9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe

"C:\Users\Admin\AppData\Local\Temp\TC_9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 960

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Program Files (x86)\Microsoft Build\Isass.exe

MD5 f0c9b574e6942295caa7e76f4c09ebd6
SHA1 8f11d5daaadd0ec583c206b2b53cebd1fb5f1ed3
SHA256 1d49700b72a1dd6c3cc74221a2421066dfc1703e3a8749e37c00bde98fcacea7
SHA512 b8e86ca1be479c6a9ef35b331f53c6a0fa1350065c9ab9ac3236d22f53a37383f1b0ad73b23b59259837dda4a3b701450da1ab958319e7974cc371f546c3a972

memory/3016-4-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4364-6-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3016-8-0x00000000019B0000-0x00000000019B1000-memory.dmp

memory/4364-7-0x0000000001970000-0x0000000001971000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TC_9fa5e39ec2434bcac72dc6212f3900c8458050e8ac636f4a92f61134d97ea253.exe

MD5 d2778164ef643ba8f44cc202ec7ef157
SHA1 31eee7114eed6b0d2fb77c9f3605057639050786
SHA256 28b001bb9a72ae7a24242bfab248d767a1ac5dec981c672a3944f7a072375e9a
SHA512 cb2a5a2aeba9d6f6bfc4a3a4576961244c109aafb59f02134b03ebac4d16602ee7f141cc4adc519f15030c20e7e7d6585778870706b2ea4c74c1161729101635

memory/3016-15-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4364-17-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4364-20-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4364-21-0x0000000000400000-0x00000000016A7000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 45028d9f66ca0986419d4f91cd2b1c6b
SHA1 df1e8de4e74f74b96eba1cd0c52e0c66be81de46
SHA256 274d180a46df20c7809c94a4e5182ee992a37fe82fbacbe697f7b9a6d4febc5b
SHA512 77da5107d442b92b05bf3029132e60f1cd36f14db61b95257123c8879e12b0ad939208abe981c19c52586642912ecb088cc1e62067f524506269dd3c082a77b0

memory/4364-30-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4364-31-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4364-32-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4364-38-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4364-49-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4364-60-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4364-61-0x0000000000400000-0x00000000016A7000-memory.dmp