682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6

General

Target

682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe
Size

284KB
MD5

7529434768151e05538ccf2d097b0ecb
SHA1

243040045fe8c8a2cea6a119eb234b9b1216db48
SHA256

682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6
SHA512

d16101d50427a14bea24fed5647014e7e8ea1051a5a45106dc6e8c3962edba36ed8fb6f0cfd19f6188fe362330ea0d60cb2e4567613b9e7c276e23a858afce95
SSDEEP

6144:ztvBPnU1b7e9SQii1EkoNlhlrQ2ZrM2x//aC9KpytQEcCC1:Zv1nWdQP1EDhZPxaCIp2Ncb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe

Executes dropped EXE 2 IoCs

pid	Process
3372	Isass.exe
4808	MS_682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4900	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe
4900	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe
3372	Isass.exe
3372	Isass.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3372	4900	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe	90
PID 4900 wrote to memory of 3372	4900	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe	90
PID 4900 wrote to memory of 3372	4900	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe	90
PID 4900 wrote to memory of 4808	4900	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe	91
PID 4900 wrote to memory of 4808	4900	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe	91
PID 4900 wrote to memory of 4808	4900	682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe	91

C:\Users\Admin\AppData\Local\Temp\682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe
"C:\Users\Admin\AppData\Local\Temp\682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Users\Admin\AppData\Local\Temp\MS_682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe
  "C:\Users\Admin\AppData\Local\Temp\MS_682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe"
  2⤵
  - Executes dropped EXE
  PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
55d43211ba2fc070c2b14d6d87809b44

SHA1
5da380652eb9d3295a4e87c5864774a8d4bbccd7

SHA256
ae860675c711800b39052740d86af278a77bebb701ea64e48df795e492374710

SHA512
f59f1551173200049888dc24cea4c91a58c93e6cd17c01207005c7017db52af7db756e3ce71f4688ec051353d641c7107e76554e1fc6451a0193265f9578a243

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
668KB

MD5
60a19d74bd3eea3ca6e68d1a2e92503b

SHA1
055585638c06c384f2cc36e8c306543b7728979b

SHA256
d1b3d39e21b81b0be776532294ff4306ebbd17d54495f53cdba6a32b9ea5240d

SHA512
37de03ecad0ded61f0a91ee6a057f70dcf39a17fcb089ad1f0d399eae6e3e53d05432789e7b62fc6a252f141cf09cc2fe4dc080175c82580bf599f8d463a7418

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS_682f25aeb2aa1a41707794d3ad77dee0ea2f31b3c53899914f26e6d4e45478c6.exe

Filesize
64KB

MD5
a32a382b8a5a906e03a83b4f3e5b7a9b

SHA1
11e2bdd0798761f93cce363329996af6c17ed796

SHA256
75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346

SHA512
ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

Download Submit
memory/3372-55-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-24-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-108-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-6-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-18-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-19-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-20-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-23-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-107-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-7-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/3372-36-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-42-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-106-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-57-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-75-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-76-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3372-105-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4900-0-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4900-1-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/4900-9-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads