19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188

General

Target

19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
Size

864KB
MD5

70b6803237853f5eb9a7aa1c3afdad7f
SHA1

93e79bed55e798e544b7554c820bf3e1fc1fcbed
SHA256

19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188
SHA512

47d7f8db39940d06520e889cbf10c926468d7799f1afdf4af0eb77cc106a600da918ff649223b5c0ec314ef19e757bf6777dbad3523c76cd4cc8b2034cb1e6b3
SSDEEP

12288:Zv1nWdQP1EDhZPxUTDYrGiVrzBrB8x4w6Ic7FQQN8e6yHI+1Dn+im49TOesj6DG3:Z9ndEVfUTpitz3FtFnNJ6m1jAes+DGL7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1628	Isass.exe
2428	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
2756	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe

Loads dropped DLL 6 IoCs

pid	Process
1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
2428	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
2756	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
1628	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
1628	Isass.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1628	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	30
PID 1732 wrote to memory of 1628	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	30
PID 1732 wrote to memory of 1628	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	30
PID 1732 wrote to memory of 1628	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	30
PID 1732 wrote to memory of 2428	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	31
PID 1732 wrote to memory of 2428	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	31
PID 1732 wrote to memory of 2428	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	31
PID 1732 wrote to memory of 2428	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	31
PID 1732 wrote to memory of 2428	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	31
PID 1732 wrote to memory of 2428	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	31
PID 1732 wrote to memory of 2428	1732	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	31
PID 2428 wrote to memory of 2756	2428	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	32
PID 2428 wrote to memory of 2756	2428	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	32
PID 2428 wrote to memory of 2756	2428	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	32
PID 2428 wrote to memory of 2756	2428	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	32
PID 2428 wrote to memory of 2756	2428	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	32
PID 2428 wrote to memory of 2756	2428	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	32
PID 2428 wrote to memory of 2756	2428	RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	32

C:\Users\Admin\AppData\Local\Temp\19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
"C:\Users\Admin\AppData\Local\Temp\19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
  "C:\Users\Admin\AppData\Local\Temp\RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\Temp\{4BB1B707-AE0A-4F1E-9A59-5036703C6452}\.cr\RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
    "C:\Windows\Temp\{4BB1B707-AE0A-4F1E-9A59-5036703C6452}\.cr\RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
1566dec0c572f2818b31b7d4d92574d9

SHA1
26b2aa506dcd29aeeab19adec8de747931b62f41

SHA256
d0e8aa26815914db1cbf88f6d31fe33a16323441a36636d6e4ef3b1531ad3dfb

SHA512
13fb9370332a29836ae12b21afac038498c5242655fb9703f23fd21d86b95f099a3334e0c2d8dc2a86a2114ea3a919917f3f21d54ccecc10dfaf54eb4fd3ad5a

Download Submit
C:\Windows\Temp\{81151EF0-2AEB-48ED-8A98-ADCF05E81C8C}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
\Users\Admin\AppData\Local\Temp\RU_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe

Filesize
611KB

MD5
f128e3e0f84eccc3dbbdee42ff9435e1

SHA1
0b3dbe89c14dd81cce548104cf7b43b9d8fa8b52

SHA256
10b3f98dd53d37a2b7f6ab31058a5c858b7ae1e845fd48aadbbec8da2d1239cd

SHA512
eebd53e8261c568b0094da504315022bd6f020541c839e33d0351c224449162e0a592e4850aeb872fd639b4fd23c2b4c05c210f6672f5f4aeb94d4076b409eea

Download Submit
\Windows\Temp\{81151EF0-2AEB-48ED-8A98-ADCF05E81C8C}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
memory/1628-84-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-110-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-124-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-16-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-114-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1628-113-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-83-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-112-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-85-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-86-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-87-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-88-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-97-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-98-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-103-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1628-111-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1732-14-0x00000000042D0000-0x0000000005577000-memory.dmp

Filesize
18.7MB

Download
memory/1732-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1732-21-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1732-10-0x00000000042D0000-0x0000000005577000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads