Analysis
-
max time kernel
116s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 06:14
Static task
static1
Behavioral task
behavioral1
Sample
c95e67da84009169ba495d2dc2e240c0N.exe
Resource
win7-20240708-en
General
-
Target
c95e67da84009169ba495d2dc2e240c0N.exe
-
Size
341KB
-
MD5
c95e67da84009169ba495d2dc2e240c0
-
SHA1
bca9ecaf698a0fda36531539b79b0f03a3f2795e
-
SHA256
88cd1d88dcaa57d9679b7a55eca807b8630f6a31d1128e3ff1efccab5c16bb5c
-
SHA512
162b5097c407746d61c1c754054bdba27cf6e0cdaca314685f833ccefaba5216611ffcffb5d4798776b871cde6cbbc4010cdadf3efa43a63a3e89d93b9b935f5
-
SSDEEP
6144:/rTfUHeeSKOS9ccFKk3Y9t9YZj524k2DgvyHA:/n8yN0Mr8ZFGwov
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 7 IoCs
Processes:
Isass.exeIsass.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeomsecor.exeomsecor.exeomsecor.exepid process 3024 Isass.exe 2764 Isass.exe 2848 Isass.exe 2680 c95e67da84009169ba495d2dc2e240c0N.exe 2208 omsecor.exe 2176 omsecor.exe 284 omsecor.exe -
Loads dropped DLL 14 IoCs
Processes:
c95e67da84009169ba495d2dc2e240c0N.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeomsecor.exeomsecor.exeIsass.exepid process 2884 c95e67da84009169ba495d2dc2e240c0N.exe 2884 c95e67da84009169ba495d2dc2e240c0N.exe 2884 c95e67da84009169ba495d2dc2e240c0N.exe 2884 c95e67da84009169ba495d2dc2e240c0N.exe 2624 c95e67da84009169ba495d2dc2e240c0N.exe 2848 Isass.exe 2848 Isass.exe 2680 c95e67da84009169ba495d2dc2e240c0N.exe 2680 c95e67da84009169ba495d2dc2e240c0N.exe 2208 omsecor.exe 2208 omsecor.exe 2176 omsecor.exe 2176 omsecor.exe 3024 Isass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2680-39-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2208-44-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2208-58-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2208-71-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2208-80-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2208-88-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2176-98-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/284-102-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c95e67da84009169ba495d2dc2e240c0N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" c95e67da84009169ba495d2dc2e240c0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" c95e67da84009169ba495d2dc2e240c0N.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exeIsass.exeomsecor.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exec95e67da84009169ba495d2dc2e240c0N.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c95e67da84009169ba495d2dc2e240c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c95e67da84009169ba495d2dc2e240c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c95e67da84009169ba495d2dc2e240c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
c95e67da84009169ba495d2dc2e240c0N.exeIsass.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exepid process 2884 c95e67da84009169ba495d2dc2e240c0N.exe 3024 Isass.exe 2764 Isass.exe 2764 Isass.exe 2764 Isass.exe 2624 c95e67da84009169ba495d2dc2e240c0N.exe 2848 Isass.exe 2848 Isass.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
c95e67da84009169ba495d2dc2e240c0N.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeomsecor.exeomsecor.exedescription pid process target process PID 2884 wrote to memory of 3024 2884 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2884 wrote to memory of 3024 2884 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2884 wrote to memory of 3024 2884 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2884 wrote to memory of 3024 2884 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2884 wrote to memory of 2764 2884 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2884 wrote to memory of 2764 2884 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2884 wrote to memory of 2764 2884 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2884 wrote to memory of 2764 2884 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2764 wrote to memory of 2624 2764 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2764 wrote to memory of 2624 2764 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2764 wrote to memory of 2624 2764 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2764 wrote to memory of 2624 2764 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2624 wrote to memory of 2848 2624 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2624 wrote to memory of 2848 2624 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2624 wrote to memory of 2848 2624 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2624 wrote to memory of 2848 2624 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2848 wrote to memory of 2680 2848 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2848 wrote to memory of 2680 2848 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2848 wrote to memory of 2680 2848 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2848 wrote to memory of 2680 2848 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2680 wrote to memory of 2208 2680 c95e67da84009169ba495d2dc2e240c0N.exe omsecor.exe PID 2680 wrote to memory of 2208 2680 c95e67da84009169ba495d2dc2e240c0N.exe omsecor.exe PID 2680 wrote to memory of 2208 2680 c95e67da84009169ba495d2dc2e240c0N.exe omsecor.exe PID 2680 wrote to memory of 2208 2680 c95e67da84009169ba495d2dc2e240c0N.exe omsecor.exe PID 2208 wrote to memory of 2176 2208 omsecor.exe omsecor.exe PID 2208 wrote to memory of 2176 2208 omsecor.exe omsecor.exe PID 2208 wrote to memory of 2176 2208 omsecor.exe omsecor.exe PID 2208 wrote to memory of 2176 2208 omsecor.exe omsecor.exe PID 2176 wrote to memory of 284 2176 omsecor.exe omsecor.exe PID 2176 wrote to memory of 284 2176 omsecor.exe omsecor.exe PID 2176 wrote to memory of 284 2176 omsecor.exe omsecor.exe PID 2176 wrote to memory of 284 2176 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:284
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD59ee3aea20fa8de7b19353aef20d64baf
SHA117926e9fd3e1f03574c94f94cdccd2845fb952a2
SHA256c6deded1772c32340199c3affea29a61834c3bedf5ab7c5da19aa9ce42dae858
SHA5124a1d96700f744752862370144b2f74123cef3ffe489a200354c7cd31e52052dcf53b2bea9aad067192fec5f9c610e023f69976768e9cd08b5b53dc5d5fbab767
-
Filesize
35KB
MD550fe69e9c49802d005038522f81e9b06
SHA1276d8f126ebe06549320d7e324f9e105222d209c
SHA25672f771647913744c8d3fa98f345b883cfe62ac773363e56d4d08f66fbf0a00db
SHA51217f6065960e7e54ef24ed2f4f82cd0f92d65aba0aaaac409dbba5b5a9802d7f604a8d4a40e24e1481cbcc5338ccb26b7fea171f2892e4cd1a02fd5b44bb1a7b2
-
Filesize
35KB
MD567b56a5fecd2e6a6598c5d36ba8a40d5
SHA1dd868ba6efb13ff044dee1b5f78d6966d63f7422
SHA256c95a8282e4d1c03e38b530ee82a7d761f7091e2edc91c77fc943e955e442610e
SHA5126df322eccbe17d29388215a7ca49edc1047c97ffe006b1e5f47b05554070bb9e01dff131bdd13e16059d7eb55d6c18628f9639b5faf63c08ce23571b317658ba
-
Filesize
35KB
MD51989bf5facd9f1cb972e61a4b555c8fd
SHA12b726d9ab41a6d45adf13c27da4c108345d260ce
SHA25615b052d40d235334a0e871eede8936d0ab2f7598e894e764a73bc34dd3971079
SHA51258425e731a506e7e8af39e81111d76b7bf260ea05c996a0f4be43e137f71e777a53cf2bfdcdffbc5a608bf6e8754bc54a2c03adadbb91536ccc429f2afd93775
-
Filesize
35KB
MD54b9e192636dd436efca0120ae52f2c7c
SHA1dd72e6198ebf277b3312f48801a5d2d97352cf05
SHA2567c672d77c3df37262af99d46664c784335bb0b8ebe891cef7480db74579fcf29
SHA512f8a4607cb94b81444c88f44cb32eac960fe96a85b07aec1becfda605a71199fcd7c1d9a755b2f859a95d037ff4b77417a0ba537940a953dbac1642d8928bd125