087d26bd6ebff556ecd04f94ea790349f1bae269cb538738576583b8ee88d25a

General

Target

721383f449ad06a5a8f2610d803b1980N.exe
Size

404KB
MD5

721383f449ad06a5a8f2610d803b1980
SHA1

55ff557192240cd6a45371e98242cba807afd3e1
SHA256

087d26bd6ebff556ecd04f94ea790349f1bae269cb538738576583b8ee88d25a
SHA512

bd94eca03cd911ee5fbfee7278dd66c7cdeb592a404b19c45464c1c4496bf63cff213d214bd9eeef5b808006f9f96889c290583e3814bfed80d4ca6a1c4cb535
SSDEEP

6144:9rTfUHeeSKOS9ccFKk3Y9t9Y+5u0VapXzutsn38qyYjYkBZWCBe2F6g5/U:9n8yN0Mr8+5PVkWsn38qyi9BZVe2FT8

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	721383f449ad06a5a8f2610d803b1980N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	721383f449ad06a5a8f2610d803b1980N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	721383f449ad06a5a8f2610d803b1980N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	721383f449ad06a5a8f2610d803b1980N.exe

Executes dropped EXE 6 IoCs

pid	Process
2308	Isass.exe
4744	Isass.exe
3860	Isass.exe
1128	Isass.exe
3240	Isass.exe
1200	721383f449ad06a5a8f2610d803b1980N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	721383f449ad06a5a8f2610d803b1980N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	721383f449ad06a5a8f2610d803b1980N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	721383f449ad06a5a8f2610d803b1980N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	721383f449ad06a5a8f2610d803b1980N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	721383f449ad06a5a8f2610d803b1980N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	721383f449ad06a5a8f2610d803b1980N.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3028	721383f449ad06a5a8f2610d803b1980N.exe
3028	721383f449ad06a5a8f2610d803b1980N.exe
2308	Isass.exe
2308	Isass.exe
4744	Isass.exe
4744	Isass.exe
4744	Isass.exe
4744	Isass.exe
4744	Isass.exe
4744	Isass.exe
5104	721383f449ad06a5a8f2610d803b1980N.exe
5104	721383f449ad06a5a8f2610d803b1980N.exe
3860	Isass.exe
3860	Isass.exe
3860	Isass.exe
3860	Isass.exe
3860	Isass.exe
3860	Isass.exe
2184	721383f449ad06a5a8f2610d803b1980N.exe
2184	721383f449ad06a5a8f2610d803b1980N.exe
1128	Isass.exe
1128	Isass.exe
1128	Isass.exe
1128	Isass.exe
1128	Isass.exe
1128	Isass.exe
3036	721383f449ad06a5a8f2610d803b1980N.exe
3036	721383f449ad06a5a8f2610d803b1980N.exe
3240	Isass.exe
3240	Isass.exe
3240	Isass.exe
3240	Isass.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2308	3028	721383f449ad06a5a8f2610d803b1980N.exe	84
PID 3028 wrote to memory of 2308	3028	721383f449ad06a5a8f2610d803b1980N.exe	84
PID 3028 wrote to memory of 2308	3028	721383f449ad06a5a8f2610d803b1980N.exe	84
PID 3028 wrote to memory of 4744	3028	721383f449ad06a5a8f2610d803b1980N.exe	87
PID 3028 wrote to memory of 4744	3028	721383f449ad06a5a8f2610d803b1980N.exe	87
PID 3028 wrote to memory of 4744	3028	721383f449ad06a5a8f2610d803b1980N.exe	87
PID 4744 wrote to memory of 5104	4744	Isass.exe	88
PID 4744 wrote to memory of 5104	4744	Isass.exe	88
PID 4744 wrote to memory of 5104	4744	Isass.exe	88
PID 5104 wrote to memory of 3860	5104	721383f449ad06a5a8f2610d803b1980N.exe	89
PID 5104 wrote to memory of 3860	5104	721383f449ad06a5a8f2610d803b1980N.exe	89
PID 5104 wrote to memory of 3860	5104	721383f449ad06a5a8f2610d803b1980N.exe	89
PID 3860 wrote to memory of 2184	3860	Isass.exe	90
PID 3860 wrote to memory of 2184	3860	Isass.exe	90
PID 3860 wrote to memory of 2184	3860	Isass.exe	90
PID 2184 wrote to memory of 1128	2184	721383f449ad06a5a8f2610d803b1980N.exe	91
PID 2184 wrote to memory of 1128	2184	721383f449ad06a5a8f2610d803b1980N.exe	91
PID 2184 wrote to memory of 1128	2184	721383f449ad06a5a8f2610d803b1980N.exe	91
PID 1128 wrote to memory of 3036	1128	Isass.exe	92
PID 1128 wrote to memory of 3036	1128	Isass.exe	92
PID 1128 wrote to memory of 3036	1128	Isass.exe	92
PID 3036 wrote to memory of 3240	3036	721383f449ad06a5a8f2610d803b1980N.exe	93
PID 3036 wrote to memory of 3240	3036	721383f449ad06a5a8f2610d803b1980N.exe	93
PID 3036 wrote to memory of 3240	3036	721383f449ad06a5a8f2610d803b1980N.exe	93
PID 3240 wrote to memory of 1200	3240	Isass.exe	94
PID 3240 wrote to memory of 1200	3240	Isass.exe	94

C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe
"C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe
    "C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe"
        9⤵
        Executes dropped EXE
        
        PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
688KB

MD5
a734559b873217da54c8f468f79e4ac3

SHA1
5c925aca5fd37d163d4b82a33325363550707385

SHA256
70fcd2082cea261c8253d576d93bca334da5b0d07005296096f18fdfabb7c24c

SHA512
ea2b004c50460fb0727627a546bbb2c524de02a6be7a6442d7b8b1d814ae0c733248b603de5b042b6f1e8ef597edce9cc3b64bd54f4b8895b31c3c7485f2b984

Download Submit
C:\Users\Admin\AppData\Local\Temp\721383f449ad06a5a8f2610d803b1980N.exe

Filesize
153KB

MD5
1fc116d5b937ac6b86baaaa658a2d1a4

SHA1
92e87ce506f5f4c98c3ffa286a2b59037da65a01

SHA256
1b240d792a347434d42532362e7f7787ad116b014c4588a8e2471416f2a6ba08

SHA512
46401bb310728c5df19d8845218ff14f19845f28fc539d14f6b5efc771e7f9c0c542d1db92fe5e1ce4016146ce4a32f8d0dcc85f7108c327f9ea87760ca9c99f

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
211KB

MD5
9f2b9e60845f50e83190a2b09627ee10

SHA1
196e473e536cb6d8637ef2a904e89f37734ad953

SHA256
36d45cae6f689b8d4cd355c6b61d57f1fe6f792c54f23440ff10ea861e9f1267

SHA512
dd7d86b75d403ab944794e76a92ad36f8fba012afbe551d0f95a757d47d2cf34e83dc8737f0e31011c5bec84377fb226bc5e1b4d30d83fad3883353052ec85d0

Download Submit
memory/1128-20-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2184-19-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-43-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-7-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/2308-69-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-68-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-60-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-59-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-53-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-39-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-52-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-6-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-44-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-34-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-37-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2308-38-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3028-0-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3028-5-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/3028-9-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3036-22-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3240-33-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3860-17-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4744-10-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4744-13-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5104-16-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5104-12-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads