009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116

General

Target

009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
Size

525KB
MD5

dd108711b0e8d1f43a6cbc8f9d0a84d5
SHA1

c5ccccc474e1b4f29ba737b098790074b4122244
SHA256

009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116
SHA512

4e391b7de519bd5a47457a9aa3776428fa2f3e1567f914ae7a53629a0e3540e6cd801d745e78deb0fd1b1fc9b75ac676273c03705380184568875d300ffe1946
SSDEEP

12288:9n8yN0Mr8NiJw1StkK0uVpmujXU4pH9F92jHIB6V/:FPuNiK1StkAVpmubn9GjHI4V/

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 20 IoCs

resource	yara_rule
behavioral1/files/0x0036000000016c71-6.dat	UPX
behavioral1/memory/2360-8-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-16-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2360-14-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2644-23-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-25-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-26-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-29-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-30-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-37-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-38-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-46-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-47-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-53-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-54-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-63-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-64-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-76-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-77-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral1/memory/2316-90-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

pid	Process
2316	Isass.exe
2644	Isass.exe
2760	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe

Loads dropped DLL 8 IoCs

pid	Process
2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
2644	Isass.exe
2316	Isass.exe
2316	Isass.exe
2316	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
2316	Isass.exe
2644	Isass.exe
2644	Isass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2316	2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	28
PID 2360 wrote to memory of 2316	2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	28
PID 2360 wrote to memory of 2316	2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	28
PID 2360 wrote to memory of 2316	2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	28
PID 2360 wrote to memory of 2644	2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	29
PID 2360 wrote to memory of 2644	2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	29
PID 2360 wrote to memory of 2644	2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	29
PID 2360 wrote to memory of 2644	2360	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	29
PID 2644 wrote to memory of 2760	2644	Isass.exe	30
PID 2644 wrote to memory of 2760	2644	Isass.exe	30
PID 2644 wrote to memory of 2760	2644	Isass.exe	30
PID 2644 wrote to memory of 2760	2644	Isass.exe	30

C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
"C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
    "C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe"
    3⤵
    - Executes dropped EXE
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Microsoft Build\Isass.exe

Filesize
211KB

MD5
06967eb4bd8a3fb3e61e9dea21b63b7d

SHA1
37f5166ce13f4a4798a5ea0277426698de36e55b

SHA256
44eb020ad04865d5019b05d4d9b90669a52ec4545aa551fc1a7d6573195f7055

SHA512
ab73163f4918e527d57cdb1ba582fb1e4f930375f75cf0d6a4dc3404c830f102e477dacb5234cd5cf542a8cb49aee2965a6d7a3b849ff2013527348de0734ab2

Download Submit
\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe

Filesize
284KB

MD5
a42b35f975d88c1370a7aff084ee57a7

SHA1
bee1408fe0b15f6f719f003e46aee5ec424cf608

SHA256
56cc9e7e3767c0cffae8161bf0ad13457487c1b422e2879b897dbd4bab115776

SHA512
b92d05515e18277db660118934e70678ee2a3bb66005bad19bb417ffaedb22a63727a5a697ca3ac0f6c48f6f5593ba45ab80f4ebdc0eaed10d80b7af04d45b23

Download Submit
memory/2316-54-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-38-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-17-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2316-16-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-90-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-77-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-76-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-25-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-26-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-63-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-64-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-37-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-29-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-46-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-47-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-53-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2316-30-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2360-8-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2360-11-0x00000000043A0000-0x0000000005648000-memory.dmp

Filesize
18.7MB

Download
memory/2360-10-0x00000000043A0000-0x0000000005648000-memory.dmp

Filesize
18.7MB

Download
memory/2360-14-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2644-23-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads