7c2e4fc17e215d7c6cda6076d2f4150891b8562d1028e5f83c4757da32ace917

General

Target

bf6a9453af6973a781a7cce63415eb60N.exe
Size

700KB
MD5

bf6a9453af6973a781a7cce63415eb60
SHA1

24feef01d2691bff6706c29dd3f5f31e3b1ff171
SHA256

7c2e4fc17e215d7c6cda6076d2f4150891b8562d1028e5f83c4757da32ace917
SHA512

73995f6da425c890bf122a82840639c73f335887f036ac88a4da589e08a1645f7ea20bde3a466eefb8cd80fab8dacf5e202b374f9cb3c823fc42680b880d72a2
SSDEEP

12288:/n8yN0Mr8ZSj63hgD1ZiDJRgSKz7ucH8CA44AP03:vPuZo63iKRjKfuMJR83

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1016	Isass.exe
2968	Isass.exe
2912	Isass.exe
2676	bf6a9453af6973a781a7cce63415eb60N.exe

Loads dropped DLL 8 IoCs

pid	Process
2500	bf6a9453af6973a781a7cce63415eb60N.exe
2500	bf6a9453af6973a781a7cce63415eb60N.exe
2500	bf6a9453af6973a781a7cce63415eb60N.exe
2500	bf6a9453af6973a781a7cce63415eb60N.exe
2140	bf6a9453af6973a781a7cce63415eb60N.exe
2140	bf6a9453af6973a781a7cce63415eb60N.exe
2912	Isass.exe
1016	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	bf6a9453af6973a781a7cce63415eb60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	bf6a9453af6973a781a7cce63415eb60N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf6a9453af6973a781a7cce63415eb60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf6a9453af6973a781a7cce63415eb60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf6a9453af6973a781a7cce63415eb60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2500	bf6a9453af6973a781a7cce63415eb60N.exe
1016	Isass.exe
2968	Isass.exe
2968	Isass.exe
2968	Isass.exe
2140	bf6a9453af6973a781a7cce63415eb60N.exe
2912	Isass.exe
2912	Isass.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2676	bf6a9453af6973a781a7cce63415eb60N.exe
2676	bf6a9453af6973a781a7cce63415eb60N.exe
2676	bf6a9453af6973a781a7cce63415eb60N.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1016	2500	bf6a9453af6973a781a7cce63415eb60N.exe	30
PID 2500 wrote to memory of 1016	2500	bf6a9453af6973a781a7cce63415eb60N.exe	30
PID 2500 wrote to memory of 1016	2500	bf6a9453af6973a781a7cce63415eb60N.exe	30
PID 2500 wrote to memory of 1016	2500	bf6a9453af6973a781a7cce63415eb60N.exe	30
PID 2500 wrote to memory of 2968	2500	bf6a9453af6973a781a7cce63415eb60N.exe	31
PID 2500 wrote to memory of 2968	2500	bf6a9453af6973a781a7cce63415eb60N.exe	31
PID 2500 wrote to memory of 2968	2500	bf6a9453af6973a781a7cce63415eb60N.exe	31
PID 2500 wrote to memory of 2968	2500	bf6a9453af6973a781a7cce63415eb60N.exe	31
PID 2968 wrote to memory of 2140	2968	Isass.exe	32
PID 2968 wrote to memory of 2140	2968	Isass.exe	32
PID 2968 wrote to memory of 2140	2968	Isass.exe	32
PID 2968 wrote to memory of 2140	2968	Isass.exe	32
PID 2140 wrote to memory of 2912	2140	bf6a9453af6973a781a7cce63415eb60N.exe	33
PID 2140 wrote to memory of 2912	2140	bf6a9453af6973a781a7cce63415eb60N.exe	33
PID 2140 wrote to memory of 2912	2140	bf6a9453af6973a781a7cce63415eb60N.exe	33
PID 2140 wrote to memory of 2912	2140	bf6a9453af6973a781a7cce63415eb60N.exe	33
PID 2912 wrote to memory of 2676	2912	Isass.exe	34
PID 2912 wrote to memory of 2676	2912	Isass.exe	34
PID 2912 wrote to memory of 2676	2912	Isass.exe	34
PID 2912 wrote to memory of 2676	2912	Isass.exe	34
PID 2912 wrote to memory of 2676	2912	Isass.exe	34
PID 2912 wrote to memory of 2676	2912	Isass.exe	34
PID 2912 wrote to memory of 2676	2912	Isass.exe	34

C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
"C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
    "C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Microsoft Build\Isass.exe

Filesize
216KB

MD5
816a6d1102a1a3b4d6d9c3d8dfef7045

SHA1
ee440bbc1be28b777f9109d1fd8e3c5fe282e5b5

SHA256
da347f6169ee82f755889c1f0079ef2a70e16bb9aacd0147ce7e689bbb4166ca

SHA512
3ff95d1bd74302b4e58fe1d05403a584b6f6db87d61213968956a507635668d3ac1ee78494e6228c2b3ac7a530a9e474b4259ca88f1df2b404302cddb09a5e94

Download Submit
\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe

Filesize
453KB

MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
memory/1016-42-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-52-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-69-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-17-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1016-68-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-59-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-58-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-16-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-51-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-30-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-31-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-34-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-35-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1016-43-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2140-21-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2500-8-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2500-10-0x00000000046F0000-0x0000000005999000-memory.dmp

Filesize
18.7MB

Download
memory/2500-15-0x00000000046F0000-0x0000000005999000-memory.dmp

Filesize
18.7MB

Download
memory/2500-13-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2912-29-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2968-18-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads