cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004

General

Target

cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004.exe
Size

387KB
MD5

b40cc25ce8b65b2adf2918ac2f8b28be
SHA1

a450334c4a769a7928e0fbac2c3d1035bd9eb832
SHA256

cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004
SHA512

76dbafacfdca63cbe1ae14468466671c198b27b2d349f92587d027c60e2627996986c048d6e8e7c5d47f5dee29650bf794af9400a966983546bc1e67c6dfad23
SSDEEP

6144:9rTfUHeeSKOS9ccFKk3Y9t9YZVS2Fzi/k:9n8yN0Mr8ZLFzi/k

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 19 IoCs

resource	yara_rule
behavioral2/memory/3828-0-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/files/0x000b000000023b94-4.dat	UPX
behavioral2/memory/1200-7-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/3828-6-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-9-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-12-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-13-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/files/0x0001000000022759-14.dat	UPX
behavioral2/memory/1200-17-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-18-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-23-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-27-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-33-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-34-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-41-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-42-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-50-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-54-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1200-63-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
1200	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3828	cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004.exe
3828	cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004.exe
1200	Isass.exe
1200	Isass.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 1200	3828	cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004.exe	85
PID 3828 wrote to memory of 1200	3828	cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004.exe	85
PID 3828 wrote to memory of 1200	3828	cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004.exe	85

C:\Users\Admin\AppData\Local\Temp\cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004.exe
"C:\Users\Admin\AppData\Local\Temp\cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
853KB

MD5
c2872be730e908ce33bb3f0971ce5432

SHA1
39f9421e28eb0c5f3701d3e274a661726cbf0e5a

SHA256
15c539c828e7b2a038fadd5904b335485042a42587399a3a5aeed1aac7835d2d

SHA512
c8300841a6b76e53692cdd8fd16305d9512b639803fd0756ada93d2acdd0732fa41fed424f79459f153c586ab89ed27250a6ea4b674dcf143da29ff005f48b26

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
387KB

MD5
b40cc25ce8b65b2adf2918ac2f8b28be

SHA1
a450334c4a769a7928e0fbac2c3d1035bd9eb832

SHA256
cb389aa95bddc36681c4bec373cea992293c7cb74bb82e12fc5093717668c004

SHA512
76dbafacfdca63cbe1ae14468466671c198b27b2d349f92587d027c60e2627996986c048d6e8e7c5d47f5dee29650bf794af9400a966983546bc1e67c6dfad23

Download Submit
memory/1200-34-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-18-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-7-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-63-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-9-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-12-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-13-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-54-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-17-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-8-0x0000000001A40000-0x0000000001A41000-memory.dmp

Filesize
4KB

Download
memory/1200-23-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-27-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-33-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-50-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-41-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1200-42-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3828-0-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3828-1-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/3828-6-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads