64b97a17718ec3512ca9971a9f899094c7031155998bdf32bccb17f58de447a3

General

Target

5698029d478085129b6cba869b0346c0N.exe
Size

513KB
MD5

5698029d478085129b6cba869b0346c0
SHA1

51d3964e44601a889cd880b8c56ea41ef9fa7026
SHA256

64b97a17718ec3512ca9971a9f899094c7031155998bdf32bccb17f58de447a3
SHA512

7581c3de4f2a2694a28abdabb2ce1006fffcab91b32bf668e95b9ebc75cca2324d43219d79728677b6cc5778b2fcb9f16c1a8995307e59e8e73bc2b47bc32498
SSDEEP

12288:/n8yN0Mr8ZoOzOgNU2W5SSqRsy4kBf9NMy9o:vPuZoEp22W5SbBfTq

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	5698029d478085129b6cba869b0346c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	5698029d478085129b6cba869b0346c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	5698029d478085129b6cba869b0346c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 6 IoCs

pid	Process
4384	Isass.exe
2912	Isass.exe
4260	Isass.exe
3940	Isass.exe
208	5698029d478085129b6cba869b0346c0N.exe
2208	dxwsetup.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	dxwsetup.exe
2208	dxwsetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	5698029d478085129b6cba869b0346c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	5698029d478085129b6cba869b0346c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5698029d478085129b6cba869b0346c0N.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\directx\websetup\SETA539.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETA53A.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETA53A.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETA539.tmp	dxwsetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3420	5698029d478085129b6cba869b0346c0N.exe
3420	5698029d478085129b6cba869b0346c0N.exe
4384	Isass.exe
4384	Isass.exe
2912	Isass.exe
2912	Isass.exe
2912	Isass.exe
2912	Isass.exe
2912	Isass.exe
2912	Isass.exe
4784	5698029d478085129b6cba869b0346c0N.exe
4784	5698029d478085129b6cba869b0346c0N.exe
4260	Isass.exe
4260	Isass.exe
4260	Isass.exe
4260	Isass.exe
4260	Isass.exe
4260	Isass.exe
5072	5698029d478085129b6cba869b0346c0N.exe
5072	5698029d478085129b6cba869b0346c0N.exe
3940	Isass.exe
3940	Isass.exe
3940	Isass.exe
3940	Isass.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 4384	3420	5698029d478085129b6cba869b0346c0N.exe	83
PID 3420 wrote to memory of 4384	3420	5698029d478085129b6cba869b0346c0N.exe	83
PID 3420 wrote to memory of 4384	3420	5698029d478085129b6cba869b0346c0N.exe	83
PID 3420 wrote to memory of 2912	3420	5698029d478085129b6cba869b0346c0N.exe	84
PID 3420 wrote to memory of 2912	3420	5698029d478085129b6cba869b0346c0N.exe	84
PID 3420 wrote to memory of 2912	3420	5698029d478085129b6cba869b0346c0N.exe	84
PID 2912 wrote to memory of 4784	2912	Isass.exe	88
PID 2912 wrote to memory of 4784	2912	Isass.exe	88
PID 2912 wrote to memory of 4784	2912	Isass.exe	88
PID 4784 wrote to memory of 4260	4784	5698029d478085129b6cba869b0346c0N.exe	89
PID 4784 wrote to memory of 4260	4784	5698029d478085129b6cba869b0346c0N.exe	89
PID 4784 wrote to memory of 4260	4784	5698029d478085129b6cba869b0346c0N.exe	89
PID 4260 wrote to memory of 5072	4260	Isass.exe	90
PID 4260 wrote to memory of 5072	4260	Isass.exe	90
PID 4260 wrote to memory of 5072	4260	Isass.exe	90
PID 5072 wrote to memory of 3940	5072	5698029d478085129b6cba869b0346c0N.exe	91
PID 5072 wrote to memory of 3940	5072	5698029d478085129b6cba869b0346c0N.exe	91
PID 5072 wrote to memory of 3940	5072	5698029d478085129b6cba869b0346c0N.exe	91
PID 3940 wrote to memory of 208	3940	Isass.exe	92
PID 3940 wrote to memory of 208	3940	Isass.exe	92
PID 3940 wrote to memory of 208	3940	Isass.exe	92
PID 208 wrote to memory of 2208	208	5698029d478085129b6cba869b0346c0N.exe	93
PID 208 wrote to memory of 2208	208	5698029d478085129b6cba869b0346c0N.exe	93
PID 208 wrote to memory of 2208	208	5698029d478085129b6cba869b0346c0N.exe	93

C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe
"C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4260
    - - C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
697KB

MD5
06345c6253e13287a09e202694c3a445

SHA1
a6c5bcec36efb7e62764bc133dbce9581c98e2c3

SHA256
e498a6aad3c3e2e52bedc606bf8414e4cf4c9dcbe22a7fb96175fe01fb78943a

SHA512
74cd960ca9e73b2cffe08a92ea97df92eff797e07d81da9bb101d3e71fc1ddecae56c9caea62828f7eb545698041d49deaeeb2d481f5995bff1faf765563f59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5698029d478085129b6cba869b0346c0N.exe

Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
216KB

MD5
e04f9d89021d120dfa17ac29c69beea7

SHA1
d7e633b6c9d3a3c744e6938267541ee385a316a1

SHA256
7b4560c4ed7a4877f77c0039fc90125dd0e3791d0dd8cde91d5b2ca3344d1f38

SHA512
a2e5f0df17ddedeeef8e022031a0519eb77e7593f60ea06d417835b4b543e2016953c3856c3181026b2336d983c5728f2f2eb26bf97da351a01ce660d7c7ad5d

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
memory/2912-10-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2912-13-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3420-9-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3420-6-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/3420-4-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3940-40-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4260-16-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4260-17-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-74-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-5-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-107-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-106-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-70-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-73-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-7-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/4384-95-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-78-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-79-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-87-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-88-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4384-94-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4784-12-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4784-15-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/5072-19-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads