59441ca951108c5ff13a32573ba85c4a0a2720f60e41e80fc0984fbf8d24e8aa

General

Target

3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
Size

919KB
MD5

3f88e4466cf3ce4d19113304b28f78f4
SHA1

d6ed629b26e37f138ae62511338be903f4ebdb86
SHA256

3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e
SHA512

3827993b1e9a0fb15e02369947b026812069453733f913b01be33202422d17535c98f6635c93ae5b275924ca1b4f87d1e711d7be9e4e5d43eb39cf2342fe1069
SSDEEP

12288:8uPUTLYcAaUMhUhLupXshh1PEd5hOoXpJePfqw6gmQNhxAoRYn:8uPmLDUMihIXCE5Fi76gxh8

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe

Executes dropped EXE 3 IoCs

pid	Process
4556	Isass.exe
2096	Isass.exe
2680	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2340	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
2340	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
4556	Isass.exe
4556	Isass.exe
2096	Isass.exe
2096	Isass.exe
2096	Isass.exe
2096	Isass.exe
2096	Isass.exe
2096	Isass.exe
1548	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
1548	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
2680	Isass.exe
2680	Isass.exe
2680	Isass.exe
2680	Isass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4556	2340	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe	84
PID 2340 wrote to memory of 4556	2340	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe	84
PID 2340 wrote to memory of 4556	2340	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe	84
PID 2340 wrote to memory of 2096	2340	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe	85
PID 2340 wrote to memory of 2096	2340	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe	85
PID 2340 wrote to memory of 2096	2340	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe	85
PID 2096 wrote to memory of 1548	2096	Isass.exe	87
PID 2096 wrote to memory of 1548	2096	Isass.exe	87
PID 2096 wrote to memory of 1548	2096	Isass.exe	87
PID 1548 wrote to memory of 2680	1548	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe	88
PID 1548 wrote to memory of 2680	1548	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe	88
PID 1548 wrote to memory of 2680	1548	3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe	88

C:\Users\Admin\AppData\Local\Temp\3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
"C:\Users\Admin\AppData\Local\Temp\3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
    "C:\Users\Admin\AppData\Local\Temp\3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
1.1MB

MD5
64e880e11e8cfe3620083ba6ec90c64e

SHA1
5d5490068ea3eb979efb15469fa264a1b85eb2bf

SHA256
c7df1005559696adb0cc70eb4af48dda09bec8b9b5379b127a815a498dc86a88

SHA512
cd3c46b041d9bf3a7a273ac914fae7740d7e8ee4807c9fe1ffb3ecd70733991bccaf81a3cdbf297f9a3e2f18aea75cd8dfc776d878a163bc5917190469b21315

Download Submit
C:\Users\Admin\AppData\Local\Temp\3673c4e11b206790d884eedcaced0e58d19bf08b6554c8df64725aba2573240e.exe

Filesize
284KB

MD5
290ab3601b988b124f4911778d89626a

SHA1
91082fca98f044b2d98ffd66930215f8e1852884

SHA256
dcb9736a6019fa15abe55507d4ce1d22443683cf474b72de204947fb1823c736

SHA512
aec8c1ebc47525f49882dc04fbb4b8e24f8bc506430c106ca66ef68f02ca8c7faca0ba2e7c649e9a631ad37eae2844484274ad42e78b90a446161197cb95ef41

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
624KB

MD5
b01405cb348a3cd105c66cc390ff7fb3

SHA1
a706e33fc2258aa2618953963d468f27760a8ad5

SHA256
345dc0e46f05f78cd67044d6af423a6d3e4e04a28112f0bb0379ef3e5f63c2b4

SHA512
6aa7b7dc1d0adf5df7c2ffe68faa5bfbeb7016621ebefccdad7e0b573ec6290a08b4f90e44318c577c80cf009b808e72be5acb5f45e007b340b01f641c107740

Download Submit
memory/1548-10-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2096-8-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2340-7-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2340-0-0x0000000001B30000-0x0000000001B31000-memory.dmp

Filesize
4KB

Download
memory/2680-20-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-21-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-36-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-25-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-5-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/4556-26-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-22-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/4556-31-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-30-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-40-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-46-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-47-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-55-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-59-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-67-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-68-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4556-80-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads