169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb

General

Target

169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
Size

402KB
MD5

68389cdd6a6d32618183a9d064c7fb87
SHA1

d78e9d9771ff46a0ee5f0a891597f3a2643e65a2
SHA256

169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb
SHA512

ff8977f12bae7a938c6f94955c069fe2cfc135d96e604206aeb03e7be1857676375213387af28367871888728223b588ae58a1297d08560c7ef86091ada8498b
SSDEEP

6144:9rTfUHeeSKOS9ccFKk3Y9t9Yl5736ezMLnbJW5:9n8yN0Mr8f3N0nbJW5

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 23 IoCs

resource	yara_rule
behavioral1/memory/2780-1-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/files/0x000c000000015d79-9.dat	UPX
behavioral1/memory/2616-12-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2780-16-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2484-20-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2860-21-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2860-25-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2288-32-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-39-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-41-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-44-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-45-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-52-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-53-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-61-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-62-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-68-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-69-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-77-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-78-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-90-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-91-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2616-104-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2616	Isass.exe
2484	Isass.exe
2288	Isass.exe
2360	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe

Loads dropped DLL 9 IoCs

pid	Process
2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
2860	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
2288	Isass.exe
2616	Isass.exe
2616	Isass.exe
2616	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
2616	Isass.exe
2484	Isass.exe
2484	Isass.exe
2484	Isass.exe
2860	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
2288	Isass.exe
2288	Isass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2616	2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	28
PID 2780 wrote to memory of 2616	2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	28
PID 2780 wrote to memory of 2616	2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	28
PID 2780 wrote to memory of 2616	2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	28
PID 2780 wrote to memory of 2484	2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	29
PID 2780 wrote to memory of 2484	2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	29
PID 2780 wrote to memory of 2484	2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	29
PID 2780 wrote to memory of 2484	2780	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	29
PID 2484 wrote to memory of 2860	2484	Isass.exe	30
PID 2484 wrote to memory of 2860	2484	Isass.exe	30
PID 2484 wrote to memory of 2860	2484	Isass.exe	30
PID 2484 wrote to memory of 2860	2484	Isass.exe	30
PID 2860 wrote to memory of 2288	2860	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	31
PID 2860 wrote to memory of 2288	2860	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	31
PID 2860 wrote to memory of 2288	2860	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	31
PID 2860 wrote to memory of 2288	2860	169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe	31
PID 2288 wrote to memory of 2360	2288	Isass.exe	32
PID 2288 wrote to memory of 2360	2288	Isass.exe	32
PID 2288 wrote to memory of 2360	2288	Isass.exe	32
PID 2288 wrote to memory of 2360	2288	Isass.exe	32

C:\Users\Admin\AppData\Local\Temp\169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
"C:\Users\Admin\AppData\Local\Temp\169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
    "C:\Users\Admin\AppData\Local\Temp\169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe"
        5⤵
        Executes dropped EXE
        
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Microsoft Build\Isass.exe

Filesize
211KB

MD5
1207b5c156f9eb8ab2161513b5653494

SHA1
3ffab29decadaed3ab1b5f58eb03f9f2e687db6e

SHA256
5662c47ee9f0515c8121825b77057aa16e159706463a88cf2f7702bb8ae2e9a4

SHA512
372a6eb0428a4520c3e00733d76a86c5c847c824f3c78a01f0749aa5dcc079dfbbec050e8217ea932e7c8e4e071673cb281c9da7202f4eb0584c34e3405ece31

Download Submit
\Users\Admin\AppData\Local\Temp\169ba5f18f676b43fb1c0963e740bdefee5a50dfce6a2a226604793043aa5aeb.exe

Filesize
140KB

MD5
0d0b992d2d4b7619f49ee0458d3469b1

SHA1
5d9835b408a231902654d516b48843890f4130e5

SHA256
55c3f3f02b48a1e69d8b58d195c53f2d604acd890d09d7310272dcd289cf2d94

SHA512
8435b079d408689fabb3d8713c2d4b86f85f1b9bc4bc79427ee0ae069fafd23a703d71d481a1515bb98a31b90171a75a97c1ec6a9df63170a4961940e04494b7

Download Submit
memory/2288-32-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2360-38-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-37-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2360-36-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-35-0x00000000010C0000-0x00000000010E8000-memory.dmp

Filesize
160KB

Download
memory/2484-20-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-12-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-68-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-91-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-90-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-78-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-77-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-69-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-18-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-104-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-62-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-53-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-39-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-61-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-41-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-44-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-45-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2616-52-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2780-16-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2780-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2780-10-0x00000000044D0000-0x0000000005778000-memory.dmp

Filesize
18.7MB

Download
memory/2780-1-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2780-15-0x00000000044D0000-0x0000000005778000-memory.dmp

Filesize
18.7MB

Download
memory/2860-40-0x0000000004ED0000-0x0000000006178000-memory.dmp

Filesize
18.7MB

Download
memory/2860-26-0x0000000004ED0000-0x0000000006178000-memory.dmp

Filesize
18.7MB

Download
memory/2860-25-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2860-22-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2860-21-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads