30c29a9ddc1ead0932ebf8b374d605a9dad97250968e51011605583e51d8f0a6

General

Target

98a842f4cb63a098799a32253254a3e0N.exe
Size

1.1MB
MD5

98a842f4cb63a098799a32253254a3e0
SHA1

db45e72c0cacfe3cac4e139d0cbdad3e4199dcac
SHA256

30c29a9ddc1ead0932ebf8b374d605a9dad97250968e51011605583e51d8f0a6
SHA512

692bec311120f04ec20ff5ce41a54b0731eea45b0a93e7b26dca7d305be283af4c6364582b83bf50fac8b3c54be804432063f629b5b6818b4648a1c5a85dc638
SSDEEP

24576:Z9ndEVf7TpiaGlN5WUG16CU3nM9SVYPxrkI5:Z9dcjTpia25W/7UXM9SVemI5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2352	Isass.exe
2764	GS_98a842f4cb63a098799a32253254a3e0N.exe
2688	GS_98a842f4cb63a098799a32253254a3e0N.exe

Loads dropped DLL 5 IoCs

pid	Process
2480	98a842f4cb63a098799a32253254a3e0N.exe
2480	98a842f4cb63a098799a32253254a3e0N.exe
2480	98a842f4cb63a098799a32253254a3e0N.exe
2764	GS_98a842f4cb63a098799a32253254a3e0N.exe
2688	GS_98a842f4cb63a098799a32253254a3e0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	98a842f4cb63a098799a32253254a3e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	98a842f4cb63a098799a32253254a3e0N.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	98a842f4cb63a098799a32253254a3e0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GS_98a842f4cb63a098799a32253254a3e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GS_98a842f4cb63a098799a32253254a3e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98a842f4cb63a098799a32253254a3e0N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2480	98a842f4cb63a098799a32253254a3e0N.exe
2352	Isass.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2352	2480	98a842f4cb63a098799a32253254a3e0N.exe	30
PID 2480 wrote to memory of 2352	2480	98a842f4cb63a098799a32253254a3e0N.exe	30
PID 2480 wrote to memory of 2352	2480	98a842f4cb63a098799a32253254a3e0N.exe	30
PID 2480 wrote to memory of 2352	2480	98a842f4cb63a098799a32253254a3e0N.exe	30
PID 2480 wrote to memory of 2764	2480	98a842f4cb63a098799a32253254a3e0N.exe	31
PID 2480 wrote to memory of 2764	2480	98a842f4cb63a098799a32253254a3e0N.exe	31
PID 2480 wrote to memory of 2764	2480	98a842f4cb63a098799a32253254a3e0N.exe	31
PID 2480 wrote to memory of 2764	2480	98a842f4cb63a098799a32253254a3e0N.exe	31
PID 2480 wrote to memory of 2764	2480	98a842f4cb63a098799a32253254a3e0N.exe	31
PID 2480 wrote to memory of 2764	2480	98a842f4cb63a098799a32253254a3e0N.exe	31
PID 2480 wrote to memory of 2764	2480	98a842f4cb63a098799a32253254a3e0N.exe	31
PID 2764 wrote to memory of 2688	2764	GS_98a842f4cb63a098799a32253254a3e0N.exe	32
PID 2764 wrote to memory of 2688	2764	GS_98a842f4cb63a098799a32253254a3e0N.exe	32
PID 2764 wrote to memory of 2688	2764	GS_98a842f4cb63a098799a32253254a3e0N.exe	32
PID 2764 wrote to memory of 2688	2764	GS_98a842f4cb63a098799a32253254a3e0N.exe	32
PID 2764 wrote to memory of 2688	2764	GS_98a842f4cb63a098799a32253254a3e0N.exe	32
PID 2764 wrote to memory of 2688	2764	GS_98a842f4cb63a098799a32253254a3e0N.exe	32
PID 2764 wrote to memory of 2688	2764	GS_98a842f4cb63a098799a32253254a3e0N.exe	32

C:\Users\Admin\AppData\Local\Temp\98a842f4cb63a098799a32253254a3e0N.exe
"C:\Users\Admin\AppData\Local\Temp\98a842f4cb63a098799a32253254a3e0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\GS_98a842f4cb63a098799a32253254a3e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\GS_98a842f4cb63a098799a32253254a3e0N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\Temp\{0B25FCF5-A65D-4F71-A3E3-4BCB200C34DC}\.cr\GS_98a842f4cb63a098799a32253254a3e0N.exe
    "C:\Windows\Temp\{0B25FCF5-A65D-4F71-A3E3-4BCB200C34DC}\.cr\GS_98a842f4cb63a098799a32253254a3e0N.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\GS_98a842f4cb63a098799a32253254a3e0N.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
deb205aab1f21cfbdb4929194ad7e5ac

SHA1
b86cd30bf8125918ba61902787fbb4583ad1ea4f

SHA256
c8ae8da7e558e44ea789d15fb47c1a606e8763e72d477f437648d627c5eb5e67

SHA512
52e76f568cc4397ae8e669bfe1bd86ce03e456092aef9a09077296e33042af16ac8c3ccd8d4c2efd2e7524c5dc18bd91d1c182b2dd7b7a6834fdbe388b2dd899

Download Submit
C:\Users\Admin\AppData\Local\Temp\GS_98a842f4cb63a098799a32253254a3e0N.exe

Filesize
855KB

MD5
7711c60d5db60b1dfd6660016cf02d6f

SHA1
6b38524ee7961e9bd224c75ead54449c0d77bb12

SHA256
f13fda5a87d010e15eb167e5dcaec27121e4427ae9c8c9991db95ed5fe36de1b

SHA512
55aac69297dd5a19d8a78e0e36ce6be23d940d26ac4831e1db09c9aa5b43243158b8f2b24df4a2638b98442c305b0bd1547d8c597c8339e5938e73417820ac37

Download Submit
C:\Windows\Temp\{7C11F2BB-1888-4936-86AF-4E69756C4FAD}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
\Windows\Temp\{7C11F2BB-1888-4936-86AF-4E69756C4FAD}\.ba\PythonBA.dll

Filesize
671KB

MD5
5d8fa952950469a8904e4f68ac193699

SHA1
ce9f68fb9601b9a5b95fc93c88a3a22ed42afa3d

SHA256
ca7527124a97079c229332867bd27fede3eb263a52639b4bdaf39ed47e604e57

SHA512
58c43a813ff9f5bebe2928e68b7f28f999922248ccc6e8cf6ce5f14baf6aa42b9b8e59fe9b638c5376e7e4e86fe21eae185fd51328b7b000bbe6903794e161b4

Download Submit
memory/2352-92-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-91-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-15-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2352-83-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-108-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-105-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-100-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-81-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-99-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-84-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-14-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-85-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-86-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2352-82-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2480-13-0x0000000004230000-0x00000000054D7000-memory.dmp

Filesize
18.7MB

Download
memory/2480-12-0x0000000004230000-0x00000000054D7000-memory.dmp

Filesize
18.7MB

Download
memory/2480-8-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2480-16-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2480-23-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads