fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1

General

Target

fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe
Size

313KB
MD5

6ee88251845d006df5ca02d8c79bfbf4
SHA1

a47a734c27b0a1247190387ee1556450d9038364
SHA256

fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1
SHA512

e2fe5eb5cec4b7a7924f17d1799a9b75ae8ce8b9bad4ea8dccf262a4ee47393c35005a4b542a52988251cd40a251c31dff1a16c61475d30232dfca207731edde
SSDEEP

6144:ztvBPnU1b7e9SQii1EkoNlhlrQ2ZrM2xTYAp1ZEGItUoDs22:Zv1nWdQP1EDhZPxTYAp/EGWUoDN2

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe

Executes dropped EXE 2 IoCs

pid	Process
3092	Isass.exe
3496	TK_fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Isass.exe
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
764	3092	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4240	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe
4240	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe
3092	Isass.exe
3092	Isass.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 3092	4240	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe	90
PID 4240 wrote to memory of 3092	4240	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe	90
PID 4240 wrote to memory of 3092	4240	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe	90
PID 4240 wrote to memory of 3496	4240	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe	91
PID 4240 wrote to memory of 3496	4240	fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe	91

C:\Users\Admin\AppData\Local\Temp\fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe
"C:\Users\Admin\AppData\Local\Temp\fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 856
    3⤵
    - Program crash
    PID:764
- C:\Users\Admin\AppData\Local\Temp\TK_fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe
  "C:\Users\Admin\AppData\Local\Temp\TK_fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe"
  2⤵
  - Executes dropped EXE
  PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:8
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3092 -ip 3092
1⤵
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
bdbc66f943995a6e90a84dbc52be6521

SHA1
eaa4eec26be9f6e362e588a3c27e10f9ace38c7b

SHA256
c163b484c60b90a321e56379652328a19db4fa675f0fa809a64cf23d0366fb5e

SHA512
e2e5bc0b69aa90dc6f3a27cc9c58769f85270c5ec95086ee17fdb48f52bc6718ea914325a3b7b06cb1181e1e6b9b226e22abb8755c977647a95131a784ea2b01

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
677KB

MD5
02eff59b10d8a4172ff63f2c8010bb9a

SHA1
bbbb32756bfdeec5b80cee31994a00921cb188ac

SHA256
4f3bcddab46a464ebacce1898811553e3227613948a0e38aad4bb3f0fcfbdf2e

SHA512
02e0856c930ca7e649e0eb19930454ccc9f171e99883a117e02524fbe4d9a8be69a46c403bd43e3438f469bbbe69c54c81958595721eb919cf3c924a734a86a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TK_fcbf42133a6e8a5743b8d70891abbaca6b2ff299ecdeada0262422e089b11df1.exe

Filesize
97KB

MD5
542d1a85dfc9d47d2ce73c885aaf2b5e

SHA1
018f6821486d6381fd536265732ee954993b6646

SHA256
14a89eda72e385f76bf15a7c4fd539c48837cf5df444a16f28c5b94f29799550

SHA512
33791b1af030a52148b41d5fe76b241b73847429f21c25c8bf79d2165591aa5af9d873e8f7d6c22d2a74176339840a99c2d7f60520c32127962200ee33a93021

Download Submit
memory/3092-20-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3092-22-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3092-36-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3092-34-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3092-19-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3092-6-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3092-21-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3092-17-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/3092-25-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3092-26-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3092-27-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/3092-33-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4240-4-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4240-16-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4240-18-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads