009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116

General

Target

009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
Size

525KB
MD5

dd108711b0e8d1f43a6cbc8f9d0a84d5
SHA1

c5ccccc474e1b4f29ba737b098790074b4122244
SHA256

009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116
SHA512

4e391b7de519bd5a47457a9aa3776428fa2f3e1567f914ae7a53629a0e3540e6cd801d745e78deb0fd1b1fc9b75ac676273c03705380184568875d300ffe1946
SSDEEP

12288:9n8yN0Mr8NiJw1StkK0uVpmujXU4pH9F92jHIB6V/:FPuNiK1StkAVpmubn9GjHI4V/

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 21 IoCs

resource	yara_rule
behavioral2/files/0x000800000002359b-2.dat	UPX
behavioral2/memory/4160-4-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-5-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/4160-7-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1008-9-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1008-19-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-21-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-24-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-25-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/files/0x00010000000226eb-26.dat	UPX
behavioral2/memory/1460-29-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-30-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-38-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-39-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-45-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-46-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-54-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-55-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-66-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-67-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX
behavioral2/memory/1460-76-0x0000000000400000-0x00000000016A8000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 3 IoCs

pid	Process
1460	Isass.exe
1008	Isass.exe
116	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4160	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
4160	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
1460	Isass.exe
1460	Isass.exe
1008	Isass.exe
1008	Isass.exe
1008	Isass.exe
1008	Isass.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 1460	4160	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	91
PID 4160 wrote to memory of 1460	4160	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	91
PID 4160 wrote to memory of 1460	4160	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	91
PID 4160 wrote to memory of 1008	4160	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	92
PID 4160 wrote to memory of 1008	4160	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	92
PID 4160 wrote to memory of 1008	4160	009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe	92
PID 1008 wrote to memory of 116	1008	Isass.exe	93
PID 1008 wrote to memory of 116	1008	Isass.exe	93
PID 1008 wrote to memory of 116	1008	Isass.exe	93

C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
"C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe
    "C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe"
    3⤵
    - Executes dropped EXE
    PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:8
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
671KB

MD5
0bba2a5d4f91c8b08feca3fa9dc02db2

SHA1
8a597e027a69c12e56ab954184c107fabf04342f

SHA256
192100f1cd7a6e23151377225c4e0c2bbd7cb8552bd24696d094c7eca66c4bad

SHA512
0c10b34943f347f6fb31d9ee4f1b5baf14e1a5633cea77b51d0a3409fc194993a8074c96074b5d9590c9b89151498ac8fe55225e9eb8d8c00f34e6331fbd8c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\009f411da4dc191863d2ebc16756c40d29f46e1d5326e367e1ab30995ddc8116.exe

Filesize
284KB

MD5
a42b35f975d88c1370a7aff084ee57a7

SHA1
bee1408fe0b15f6f719f003e46aee5ec424cf608

SHA256
56cc9e7e3767c0cffae8161bf0ad13457487c1b422e2879b897dbd4bab115776

SHA512
b92d05515e18277db660118934e70678ee2a3bb66005bad19bb417ffaedb22a63727a5a697ca3ac0f6c48f6f5593ba45ab80f4ebdc0eaed10d80b7af04d45b23

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
211KB

MD5
06967eb4bd8a3fb3e61e9dea21b63b7d

SHA1
37f5166ce13f4a4798a5ea0277426698de36e55b

SHA256
44eb020ad04865d5019b05d4d9b90669a52ec4545aa551fc1a7d6573195f7055

SHA512
ab73163f4918e527d57cdb1ba582fb1e4f930375f75cf0d6a4dc3404c830f102e477dacb5234cd5cf542a8cb49aee2965a6d7a3b849ff2013527348de0734ab2

Download Submit
memory/1008-19-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1008-9-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-25-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-38-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-76-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-21-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-24-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-5-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-67-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-29-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-30-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-20-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1460-39-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-45-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-46-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-54-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-55-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1460-66-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4160-4-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4160-7-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads