7c2e4fc17e215d7c6cda6076d2f4150891b8562d1028e5f83c4757da32ace917

General

Target

bf6a9453af6973a781a7cce63415eb60N.exe
Size

700KB
MD5

bf6a9453af6973a781a7cce63415eb60
SHA1

24feef01d2691bff6706c29dd3f5f31e3b1ff171
SHA256

7c2e4fc17e215d7c6cda6076d2f4150891b8562d1028e5f83c4757da32ace917
SHA512

73995f6da425c890bf122a82840639c73f335887f036ac88a4da589e08a1645f7ea20bde3a466eefb8cd80fab8dacf5e202b374f9cb3c823fc42680b880d72a2
SSDEEP

12288:/n8yN0Mr8ZSj63hgD1ZiDJRgSKz7ucH8CA44AP03:vPuZo63iKRjKfuMJR83

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	bf6a9453af6973a781a7cce63415eb60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	bf6a9453af6973a781a7cce63415eb60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	bf6a9453af6973a781a7cce63415eb60N.exe

Executes dropped EXE 5 IoCs

pid	Process
2716	Isass.exe
4988	Isass.exe
1316	Isass.exe
3040	Isass.exe
2300	bf6a9453af6973a781a7cce63415eb60N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	bf6a9453af6973a781a7cce63415eb60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	bf6a9453af6973a781a7cce63415eb60N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf6a9453af6973a781a7cce63415eb60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf6a9453af6973a781a7cce63415eb60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf6a9453af6973a781a7cce63415eb60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf6a9453af6973a781a7cce63415eb60N.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4224	bf6a9453af6973a781a7cce63415eb60N.exe
4224	bf6a9453af6973a781a7cce63415eb60N.exe
2716	Isass.exe
2716	Isass.exe
4988	Isass.exe
4988	Isass.exe
4988	Isass.exe
4988	Isass.exe
4988	Isass.exe
4988	Isass.exe
540	bf6a9453af6973a781a7cce63415eb60N.exe
540	bf6a9453af6973a781a7cce63415eb60N.exe
1316	Isass.exe
1316	Isass.exe
1316	Isass.exe
1316	Isass.exe
1316	Isass.exe
1316	Isass.exe
3992	bf6a9453af6973a781a7cce63415eb60N.exe
3992	bf6a9453af6973a781a7cce63415eb60N.exe
3040	Isass.exe
3040	Isass.exe
3040	Isass.exe
3040	Isass.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2300	bf6a9453af6973a781a7cce63415eb60N.exe
2300	bf6a9453af6973a781a7cce63415eb60N.exe
2300	bf6a9453af6973a781a7cce63415eb60N.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 2716	4224	bf6a9453af6973a781a7cce63415eb60N.exe	84
PID 4224 wrote to memory of 2716	4224	bf6a9453af6973a781a7cce63415eb60N.exe	84
PID 4224 wrote to memory of 2716	4224	bf6a9453af6973a781a7cce63415eb60N.exe	84
PID 4224 wrote to memory of 4988	4224	bf6a9453af6973a781a7cce63415eb60N.exe	85
PID 4224 wrote to memory of 4988	4224	bf6a9453af6973a781a7cce63415eb60N.exe	85
PID 4224 wrote to memory of 4988	4224	bf6a9453af6973a781a7cce63415eb60N.exe	85
PID 4988 wrote to memory of 540	4988	Isass.exe	86
PID 4988 wrote to memory of 540	4988	Isass.exe	86
PID 4988 wrote to memory of 540	4988	Isass.exe	86
PID 540 wrote to memory of 1316	540	bf6a9453af6973a781a7cce63415eb60N.exe	87
PID 540 wrote to memory of 1316	540	bf6a9453af6973a781a7cce63415eb60N.exe	87
PID 540 wrote to memory of 1316	540	bf6a9453af6973a781a7cce63415eb60N.exe	87
PID 1316 wrote to memory of 3992	1316	Isass.exe	88
PID 1316 wrote to memory of 3992	1316	Isass.exe	88
PID 1316 wrote to memory of 3992	1316	Isass.exe	88
PID 3992 wrote to memory of 3040	3992	bf6a9453af6973a781a7cce63415eb60N.exe	89
PID 3992 wrote to memory of 3040	3992	bf6a9453af6973a781a7cce63415eb60N.exe	89
PID 3992 wrote to memory of 3040	3992	bf6a9453af6973a781a7cce63415eb60N.exe	89
PID 3040 wrote to memory of 2300	3040	Isass.exe	90
PID 3040 wrote to memory of 2300	3040	Isass.exe	90
PID 3040 wrote to memory of 2300	3040	Isass.exe	90

C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
"C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
    "C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
718KB

MD5
23fffc6b2676c434dc898333bf379a23

SHA1
2a42a86e9317694da8257003fcf9b7e951013bbe

SHA256
d3a0b1e8f09c8cd8dc5ec95221f6885b2bf8ef949728d5bfd4b2dde91cc4d65a

SHA512
15e6ca54d52445c51f6640e00778035e23e90dafbf76655f87527e9def236e791486c53f246ee0bcbcd09d38c1ffceef5323e6e2048df7ba6bbc35ffbec2470f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe

Filesize
453KB

MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
216KB

MD5
816a6d1102a1a3b4d6d9c3d8dfef7045

SHA1
ee440bbc1be28b777f9109d1fd8e3c5fe282e5b5

SHA256
da347f6169ee82f755889c1f0079ef2a70e16bb9aacd0147ce7e689bbb4166ca

SHA512
3ff95d1bd74302b4e58fe1d05403a584b6f6db87d61213968956a507635668d3ac1ee78494e6228c2b3ac7a530a9e474b4259ca88f1df2b404302cddb09a5e94

Download Submit
memory/540-12-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/540-15-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1316-17-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1316-16-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-41-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-50-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-69-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-65-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-57-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-7-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download
memory/2716-56-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-49-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-31-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-32-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-35-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-36-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-5-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2716-40-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3040-30-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3992-19-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4224-3-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4224-6-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4224-9-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4988-13-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4988-10-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads