Analysis Overview
SHA256
02470c648e831159e369502544277fec357521855625e5de82239260214f1597
Threat Level: Known bad
The file 02470c648e831159e369502544277fec357521855625e5de82239260214f1597 was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 18:09
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 18:09
Reported
2024-06-11 18:12
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
53s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2444-2-0x0000000000400000-0x00000000016A8E52-memory.dmp
C:\Users\Public\Microsoft Build\Isass.exe
| MD5 | 15d9f19d809805e00dc3fe34f5644f60 |
| SHA1 | e748c77822e46bec4fa95ae7386c9e98e72621e5 |
| SHA256 | 0843071e7da799f70b16c43717e1ec69609b866d18170627f5a34603bd4cb08e |
| SHA512 | c9b1c68be7f5f2fad76c6f07843614479b89ae2e605d6207d20d7edff5a7bba8ce156f464a466bfba653f930e4bb6d912131322e1f1898d90f0f45dd9aaf0711 |
memory/1588-5-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1052-8-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-10-0x0000000001E70000-0x0000000001E71000-memory.dmp
memory/2444-9-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1052-11-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/4416-12-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/4416-15-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/856-17-0x0000000000400000-0x00000000016A8E52-memory.dmp
C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
| MD5 | af6d4428fb42903b1578b31bd333bf16 |
| SHA1 | c0d52a608a428397140a772920b9c3ea627c2cf3 |
| SHA256 | 52090bc03a83c42081d6c6329874bb6a0701adecc07499a86c59a0fa831ff0e4 |
| SHA512 | eaae4756d133631aa476363ef8aaed30520088769702264e64c1f1acfc0cd880e3145158940edc4b7930ff5b2fd524bb6663a48c4420c7b8432d9843baa0e71a |
memory/856-28-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1616-30-0x0000000000150000-0x0000000000178000-memory.dmp
memory/1588-32-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-35-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-36-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-37-0x0000000000400000-0x00000000016A8E52-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
| MD5 | ee972b406529ef9e24fef4cd1d02a207 |
| SHA1 | 0c2f6d2dd9ab456432421b060ee04d50779a752e |
| SHA256 | 0b2afe2b2401e7f03badf15bbf8e87e6c4f8b67ee10c12ce032a0f721ccc5996 |
| SHA512 | 58683b376264e65d1b596aa1764f901835a7e77ad760167f9a70ca8547c935c964b77cc189e5856b8e13f0d296abf4c60d278bddc1bed09b604ad4900c95394d |
memory/1588-41-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-42-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-50-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-51-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-57-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-58-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-65-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-69-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-80-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-81-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/1588-90-0x0000000000400000-0x00000000016A8E52-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 18:09
Reported
2024-06-11 18:12
Platform
win7-20240221-en
Max time kernel
140s
Max time network
126s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"
Network
Files
\Users\Public\Microsoft Build\Isass.exe
| MD5 | 15d9f19d809805e00dc3fe34f5644f60 |
| SHA1 | e748c77822e46bec4fa95ae7386c9e98e72621e5 |
| SHA256 | 0843071e7da799f70b16c43717e1ec69609b866d18170627f5a34603bd4cb08e |
| SHA512 | c9b1c68be7f5f2fad76c6f07843614479b89ae2e605d6207d20d7edff5a7bba8ce156f464a466bfba653f930e4bb6d912131322e1f1898d90f0f45dd9aaf0711 |
memory/2104-11-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/2104-13-0x00000000043B0000-0x0000000005659000-memory.dmp
memory/908-17-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/908-16-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/2104-14-0x0000000000400000-0x00000000016A8E52-memory.dmp
\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
| MD5 | af6d4428fb42903b1578b31bd333bf16 |
| SHA1 | c0d52a608a428397140a772920b9c3ea627c2cf3 |
| SHA256 | 52090bc03a83c42081d6c6329874bb6a0701adecc07499a86c59a0fa831ff0e4 |
| SHA512 | eaae4756d133631aa476363ef8aaed30520088769702264e64c1f1acfc0cd880e3145158940edc4b7930ff5b2fd524bb6663a48c4420c7b8432d9843baa0e71a |
memory/2840-22-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/2640-25-0x00000000003A0000-0x00000000003C8000-memory.dmp
memory/908-26-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-27-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-30-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-31-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-38-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-39-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-47-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-48-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-54-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-55-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-66-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-67-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-75-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-76-0x0000000000400000-0x00000000016A8E52-memory.dmp
memory/908-88-0x0000000000400000-0x00000000016A8E52-memory.dmp