19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188

General

Target

19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
Size

864KB
MD5

70b6803237853f5eb9a7aa1c3afdad7f
SHA1

93e79bed55e798e544b7554c820bf3e1fc1fcbed
SHA256

19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188
SHA512

47d7f8db39940d06520e889cbf10c926468d7799f1afdf4af0eb77cc106a600da918ff649223b5c0ec314ef19e757bf6777dbad3523c76cd4cc8b2034cb1e6b3
SSDEEP

12288:Zv1nWdQP1EDhZPxUTDYrGiVrzBrB8x4w6Ic7FQQN8e6yHI+1Dn+im49TOesj6DG3:Z9ndEVfUTpitz3FtFnNJ6m1jAes+DGL7

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe

Executes dropped EXE 3 IoCs

pid	Process
388	Isass.exe
3744	IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
1876	IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe

Loads dropped DLL 1 IoCs

pid	Process
1876	IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1244	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
1244	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
388	Isass.exe
388	Isass.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 388	1244	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	83
PID 1244 wrote to memory of 388	1244	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	83
PID 1244 wrote to memory of 388	1244	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	83
PID 1244 wrote to memory of 3744	1244	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	86
PID 1244 wrote to memory of 3744	1244	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	86
PID 1244 wrote to memory of 3744	1244	19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	86
PID 3744 wrote to memory of 1876	3744	IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	87
PID 3744 wrote to memory of 1876	3744	IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	87
PID 3744 wrote to memory of 1876	3744	IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe	87

C:\Users\Admin\AppData\Local\Temp\19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
"C:\Users\Admin\AppData\Local\Temp\19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- C:\Users\Admin\AppData\Local\Temp\IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
  "C:\Users\Admin\AppData\Local\Temp\IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\Temp\{D83734C7-C005-47D7-A745-B3478C643403}\.cr\IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe
    "C:\Windows\Temp\{D83734C7-C005-47D7-A745-B3478C643403}\.cr\IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe" -burn.filehandle.attached=540 -burn.filehandle.self=688
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
1566dec0c572f2818b31b7d4d92574d9

SHA1
26b2aa506dcd29aeeab19adec8de747931b62f41

SHA256
d0e8aa26815914db1cbf88f6d31fe33a16323441a36636d6e4ef3b1531ad3dfb

SHA512
13fb9370332a29836ae12b21afac038498c5242655fb9703f23fd21d86b95f099a3334e0c2d8dc2a86a2114ea3a919917f3f21d54ccecc10dfaf54eb4fd3ad5a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Filesize
6.9MB

MD5
a68a9b8d0b55e8772ee4a782453491ae

SHA1
440b0de1e2bb337f773b71f9807567bd87fcabac

SHA256
4872c62938cb0bdd80f57468e889b3a7347ce894ab979af3e0dcacd8eb1ee415

SHA512
08a10fcb4c12c388ee1ac960467c505c30f55a78ad2a4015b28ef3ea952298cca01487f83cc641cf45280dfb422de9476631e2c94af0ae9aad03ea14f7b2d02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IM_19d3824c60fc16430938c0120e39982093ac631570f2ed42d9cf1b738817c188.exe

Filesize
611KB

MD5
f128e3e0f84eccc3dbbdee42ff9435e1

SHA1
0b3dbe89c14dd81cce548104cf7b43b9d8fa8b52

SHA256
10b3f98dd53d37a2b7f6ab31058a5c858b7ae1e845fd48aadbbec8da2d1239cd

SHA512
eebd53e8261c568b0094da504315022bd6f020541c839e33d0351c224449162e0a592e4850aeb872fd639b4fd23c2b4c05c210f6672f5f4aeb94d4076b409eea

Download Submit
C:\Windows\Temp\{44F287B5-D818-4C89-AA24-F79750041C9D}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{44F287B5-D818-4C89-AA24-F79750041C9D}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
memory/388-100-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-128-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-8-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/388-7-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-79-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-80-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-81-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-82-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-83-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-117-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-90-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-91-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-99-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-120-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-108-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-109-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/388-110-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1244-3-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/1244-1-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1244-20-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads