Malware Analysis Report

2025-03-14 22:15

Sample ID 240407-234s5shc4z
Target 8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e
SHA256 8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e

Threat Level: Shows suspicious behavior

The file 8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:07

Reported

2024-04-07 23:09

Platform

win7-20240220-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe C:\Program Files (x86)\Microsoft Build\Isass.exe
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe C:\Program Files (x86)\Microsoft Build\Isass.exe
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe C:\Program Files (x86)\Microsoft Build\Isass.exe
PID 2868 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe C:\Program Files (x86)\Microsoft Build\Isass.exe
PID 2868 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe C:\Users\Admin\AppData\Local\Temp\KO_8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe
PID 2868 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe C:\Users\Admin\AppData\Local\Temp\KO_8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe
PID 2868 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe C:\Users\Admin\AppData\Local\Temp\KO_8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe
PID 2868 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe C:\Users\Admin\AppData\Local\Temp\KO_8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe

"C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe"

C:\Program Files (x86)\Microsoft Build\Isass.exe

"C:\Program Files (x86)\Microsoft Build\Isass.exe"

C:\Users\Admin\AppData\Local\Temp\KO_8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe

"C:\Users\Admin\AppData\Local\Temp\KO_8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe"

Network

N/A

Files

\Program Files (x86)\Microsoft Build\Isass.exe

MD5 99e6bfa087bb649f7f4183a153844cc5
SHA1 b289b342d800b7649c5becc07a0b24b1a8d7218d
SHA256 d0f17aec8a8d2cd29d7e5e7e19d7fc53ac8e0a67b00ea7600b7d74b321fa6225
SHA512 a315bfe0cb3bf080c503d9aa09ea0f73d98980c5154a52cc89cfd5813151e949a58dde8c53e05d3caf9f8a28ff3e3784e3ba535740b0ac7ffc15df35c61204b1

memory/2868-10-0x0000000000400000-0x00000000016A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KO_8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe

MD5 a32a382b8a5a906e03a83b4f3e5b7a9b
SHA1 11e2bdd0798761f93cce363329996af6c17ed796
SHA256 75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346
SHA512 ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

memory/2868-20-0x00000000041D0000-0x0000000005477000-memory.dmp

memory/2868-18-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2868-21-0x00000000041D0000-0x0000000005477000-memory.dmp

memory/2924-22-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-23-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2924-24-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-25-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-26-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-27-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-28-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-29-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-32-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-33-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-34-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-35-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-39-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-40-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-41-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-42-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/2924-43-0x0000000000400000-0x00000000016A7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:07

Reported

2024-04-07 23:09

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe

"C:\Users\Admin\AppData\Local\Temp\8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe"

C:\Program Files (x86)\Microsoft Build\Isass.exe

"C:\Program Files (x86)\Microsoft Build\Isass.exe"

C:\Users\Admin\AppData\Local\Temp\VU_8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe

"C:\Users\Admin\AppData\Local\Temp\VU_8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4824-0-0x0000000000400000-0x00000000016A7000-memory.dmp

C:\Program Files (x86)\Microsoft Build\Isass.exe

MD5 99e6bfa087bb649f7f4183a153844cc5
SHA1 b289b342d800b7649c5becc07a0b24b1a8d7218d
SHA256 d0f17aec8a8d2cd29d7e5e7e19d7fc53ac8e0a67b00ea7600b7d74b321fa6225
SHA512 a315bfe0cb3bf080c503d9aa09ea0f73d98980c5154a52cc89cfd5813151e949a58dde8c53e05d3caf9f8a28ff3e3784e3ba535740b0ac7ffc15df35c61204b1

memory/3816-6-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/4824-7-0x0000000003450000-0x0000000003451000-memory.dmp

memory/3816-8-0x0000000003210000-0x0000000003211000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VU_8a08193970d447bfd1894199bfda157a362644b25b3ef98e8c4f9a4df92b2a0e.exe

MD5 a32a382b8a5a906e03a83b4f3e5b7a9b
SHA1 11e2bdd0798761f93cce363329996af6c17ed796
SHA256 75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346
SHA512 ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

memory/4824-15-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-17-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-18-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-19-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-20-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-21-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-22-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-23-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-24-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-25-0x0000000000400000-0x00000000016A7000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 b395055fd7454a5f73c02232bc3c592e
SHA1 82a066b4a859297f4e3c2fff169d26f898f16f7f
SHA256 a06deb32419a1620d471481dd59eace9424766cb7dfacfb2ef483c309a3c6e2d
SHA512 2f0809a3258484cbdc3927e5161dc1328c83d9546df032862fecae4e0200d6a7ff830290b0533520a333d6abad98261f706dadc35bf88c438825893a832c0c7c

memory/3816-32-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-33-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-34-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-35-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-36-0x0000000000400000-0x00000000016A7000-memory.dmp

memory/3816-37-0x0000000000400000-0x00000000016A7000-memory.dmp