Malware Analysis Report

2025-06-15 20:00

Sample ID 240611-wrr3bawclg
Target 02470c648e831159e369502544277fec357521855625e5de82239260214f1597
SHA256 02470c648e831159e369502544277fec357521855625e5de82239260214f1597
Tags
persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02470c648e831159e369502544277fec357521855625e5de82239260214f1597

Threat Level: Known bad

The file 02470c648e831159e369502544277fec357521855625e5de82239260214f1597 was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 18:09

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 18:09

Reported

2024-06-11 18:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2444 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2444 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2444 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2444 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2444 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1052 wrote to memory of 4416 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
PID 1052 wrote to memory of 4416 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
PID 1052 wrote to memory of 4416 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
PID 4416 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4416 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4416 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 856 wrote to memory of 1616 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
PID 856 wrote to memory of 1616 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2444-2-0x0000000000400000-0x00000000016A8E52-memory.dmp

C:\Users\Public\Microsoft Build\Isass.exe

MD5 15d9f19d809805e00dc3fe34f5644f60
SHA1 e748c77822e46bec4fa95ae7386c9e98e72621e5
SHA256 0843071e7da799f70b16c43717e1ec69609b866d18170627f5a34603bd4cb08e
SHA512 c9b1c68be7f5f2fad76c6f07843614479b89ae2e605d6207d20d7edff5a7bba8ce156f464a466bfba653f930e4bb6d912131322e1f1898d90f0f45dd9aaf0711

memory/1588-5-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1052-8-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-10-0x0000000001E70000-0x0000000001E71000-memory.dmp

memory/2444-9-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1052-11-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/4416-12-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/4416-15-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/856-17-0x0000000000400000-0x00000000016A8E52-memory.dmp

C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

MD5 af6d4428fb42903b1578b31bd333bf16
SHA1 c0d52a608a428397140a772920b9c3ea627c2cf3
SHA256 52090bc03a83c42081d6c6329874bb6a0701adecc07499a86c59a0fa831ff0e4
SHA512 eaae4756d133631aa476363ef8aaed30520088769702264e64c1f1acfc0cd880e3145158940edc4b7930ff5b2fd524bb6663a48c4420c7b8432d9843baa0e71a

memory/856-28-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1616-30-0x0000000000150000-0x0000000000178000-memory.dmp

memory/1588-32-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-35-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-36-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-37-0x0000000000400000-0x00000000016A8E52-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

MD5 ee972b406529ef9e24fef4cd1d02a207
SHA1 0c2f6d2dd9ab456432421b060ee04d50779a752e
SHA256 0b2afe2b2401e7f03badf15bbf8e87e6c4f8b67ee10c12ce032a0f721ccc5996
SHA512 58683b376264e65d1b596aa1764f901835a7e77ad760167f9a70ca8547c935c964b77cc189e5856b8e13f0d296abf4c60d278bddc1bed09b604ad4900c95394d

memory/1588-41-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-42-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-50-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-51-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-57-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-58-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-65-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-69-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-80-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-81-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/1588-90-0x0000000000400000-0x00000000016A8E52-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 18:09

Reported

2024-06-11 18:12

Platform

win7-20240221-en

Max time kernel

140s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2104 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2104 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2104 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2104 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2104 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2104 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2104 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2840 wrote to memory of 2640 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
PID 2840 wrote to memory of 2640 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
PID 2840 wrote to memory of 2640 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe
PID 2840 wrote to memory of 2640 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

"C:\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe"

Network

N/A

Files

\Users\Public\Microsoft Build\Isass.exe

MD5 15d9f19d809805e00dc3fe34f5644f60
SHA1 e748c77822e46bec4fa95ae7386c9e98e72621e5
SHA256 0843071e7da799f70b16c43717e1ec69609b866d18170627f5a34603bd4cb08e
SHA512 c9b1c68be7f5f2fad76c6f07843614479b89ae2e605d6207d20d7edff5a7bba8ce156f464a466bfba653f930e4bb6d912131322e1f1898d90f0f45dd9aaf0711

memory/2104-11-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/2104-13-0x00000000043B0000-0x0000000005659000-memory.dmp

memory/908-17-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/908-16-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/2104-14-0x0000000000400000-0x00000000016A8E52-memory.dmp

\Users\Admin\AppData\Local\Temp\02470c648e831159e369502544277fec357521855625e5de82239260214f1597.exe

MD5 af6d4428fb42903b1578b31bd333bf16
SHA1 c0d52a608a428397140a772920b9c3ea627c2cf3
SHA256 52090bc03a83c42081d6c6329874bb6a0701adecc07499a86c59a0fa831ff0e4
SHA512 eaae4756d133631aa476363ef8aaed30520088769702264e64c1f1acfc0cd880e3145158940edc4b7930ff5b2fd524bb6663a48c4420c7b8432d9843baa0e71a

memory/2840-22-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/2640-25-0x00000000003A0000-0x00000000003C8000-memory.dmp

memory/908-26-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-27-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-30-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-31-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-38-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-39-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-47-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-48-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-54-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-55-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-66-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-67-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-75-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-76-0x0000000000400000-0x00000000016A8E52-memory.dmp

memory/908-88-0x0000000000400000-0x00000000016A8E52-memory.dmp