30c29a9ddc1ead0932ebf8b374d605a9dad97250968e51011605583e51d8f0a6

General

Target

98a842f4cb63a098799a32253254a3e0N.exe
Size

1.1MB
MD5

98a842f4cb63a098799a32253254a3e0
SHA1

db45e72c0cacfe3cac4e139d0cbdad3e4199dcac
SHA256

30c29a9ddc1ead0932ebf8b374d605a9dad97250968e51011605583e51d8f0a6
SHA512

692bec311120f04ec20ff5ce41a54b0731eea45b0a93e7b26dca7d305be283af4c6364582b83bf50fac8b3c54be804432063f629b5b6818b4648a1c5a85dc638
SSDEEP

24576:Z9ndEVf7TpiaGlN5WUG16CU3nM9SVYPxrkI5:Z9dcjTpia25W/7UXM9SVemI5

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	98a842f4cb63a098799a32253254a3e0N.exe

Executes dropped EXE 3 IoCs

pid	Process
1868	Isass.exe
5080	IG_98a842f4cb63a098799a32253254a3e0N.exe
4376	IG_98a842f4cb63a098799a32253254a3e0N.exe

Loads dropped DLL 1 IoCs

pid	Process
4376	IG_98a842f4cb63a098799a32253254a3e0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	98a842f4cb63a098799a32253254a3e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	98a842f4cb63a098799a32253254a3e0N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	98a842f4cb63a098799a32253254a3e0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IG_98a842f4cb63a098799a32253254a3e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IG_98a842f4cb63a098799a32253254a3e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98a842f4cb63a098799a32253254a3e0N.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4432	98a842f4cb63a098799a32253254a3e0N.exe
4432	98a842f4cb63a098799a32253254a3e0N.exe
1868	Isass.exe
1868	Isass.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 1868	4432	98a842f4cb63a098799a32253254a3e0N.exe	84
PID 4432 wrote to memory of 1868	4432	98a842f4cb63a098799a32253254a3e0N.exe	84
PID 4432 wrote to memory of 1868	4432	98a842f4cb63a098799a32253254a3e0N.exe	84
PID 4432 wrote to memory of 5080	4432	98a842f4cb63a098799a32253254a3e0N.exe	85
PID 4432 wrote to memory of 5080	4432	98a842f4cb63a098799a32253254a3e0N.exe	85
PID 4432 wrote to memory of 5080	4432	98a842f4cb63a098799a32253254a3e0N.exe	85
PID 5080 wrote to memory of 4376	5080	IG_98a842f4cb63a098799a32253254a3e0N.exe	87
PID 5080 wrote to memory of 4376	5080	IG_98a842f4cb63a098799a32253254a3e0N.exe	87
PID 5080 wrote to memory of 4376	5080	IG_98a842f4cb63a098799a32253254a3e0N.exe	87

C:\Users\Admin\AppData\Local\Temp\98a842f4cb63a098799a32253254a3e0N.exe
"C:\Users\Admin\AppData\Local\Temp\98a842f4cb63a098799a32253254a3e0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\IG_98a842f4cb63a098799a32253254a3e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\IG_98a842f4cb63a098799a32253254a3e0N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\Temp\{44F64476-9525-409B-BA9F-9FF99E203970}\.cr\IG_98a842f4cb63a098799a32253254a3e0N.exe
    "C:\Windows\Temp\{44F64476-9525-409B-BA9F-9FF99E203970}\.cr\IG_98a842f4cb63a098799a32253254a3e0N.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\IG_98a842f4cb63a098799a32253254a3e0N.exe" -burn.filehandle.attached=552 -burn.filehandle.self=696
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
deb205aab1f21cfbdb4929194ad7e5ac

SHA1
b86cd30bf8125918ba61902787fbb4583ad1ea4f

SHA256
c8ae8da7e558e44ea789d15fb47c1a606e8763e72d477f437648d627c5eb5e67

SHA512
52e76f568cc4397ae8e669bfe1bd86ce03e456092aef9a09077296e33042af16ac8c3ccd8d4c2efd2e7524c5dc18bd91d1c182b2dd7b7a6834fdbe388b2dd899

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Filesize
6.8MB

MD5
966075180eb821b9d6c615aeb45110b5

SHA1
00bde58ec9f223f59f12e5258beca98861437ede

SHA256
64e8e8e9ddd3f8209397ba8d23ce4141c44e2ec203cf9db87b8add719847d1ee

SHA512
5ea43783cea64a1945bf39a503d3fa61d2b21f6ff8819185ccdcbac54a0db86a04ab50529e6aab964e0d2c50c0e67faa6dc986d5251858e079f1a39460833f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IG_98a842f4cb63a098799a32253254a3e0N.exe

Filesize
855KB

MD5
7711c60d5db60b1dfd6660016cf02d6f

SHA1
6b38524ee7961e9bd224c75ead54449c0d77bb12

SHA256
f13fda5a87d010e15eb167e5dcaec27121e4427ae9c8c9991db95ed5fe36de1b

SHA512
55aac69297dd5a19d8a78e0e36ce6be23d940d26ac4831e1db09c9aa5b43243158b8f2b24df4a2638b98442c305b0bd1547d8c597c8339e5938e73417820ac37

Download Submit
C:\Windows\Temp\{A089F797-D349-487C-BB62-AB42D0F8E0EF}\.ba\PythonBA.dll

Filesize
671KB

MD5
5d8fa952950469a8904e4f68ac193699

SHA1
ce9f68fb9601b9a5b95fc93c88a3a22ed42afa3d

SHA256
ca7527124a97079c229332867bd27fede3eb263a52639b4bdaf39ed47e604e57

SHA512
58c43a813ff9f5bebe2928e68b7f28f999922248ccc6e8cf6ce5f14baf6aa42b9b8e59fe9b638c5376e7e4e86fe21eae185fd51328b7b000bbe6903794e161b4

Download Submit
C:\Windows\Temp\{A089F797-D349-487C-BB62-AB42D0F8E0EF}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
memory/1868-77-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-92-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-108-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-8-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/1868-76-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-6-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-78-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-100-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-87-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-99-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-95-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-96-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-97-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1868-98-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4432-21-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4432-4-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4432-7-0x0000000001960000-0x0000000001961000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads