Analysis
-
max time kernel
120s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 06:14
Static task
static1
Behavioral task
behavioral1
Sample
c95e67da84009169ba495d2dc2e240c0N.exe
Resource
win7-20240708-en
General
-
Target
c95e67da84009169ba495d2dc2e240c0N.exe
-
Size
341KB
-
MD5
c95e67da84009169ba495d2dc2e240c0
-
SHA1
bca9ecaf698a0fda36531539b79b0f03a3f2795e
-
SHA256
88cd1d88dcaa57d9679b7a55eca807b8630f6a31d1128e3ff1efccab5c16bb5c
-
SHA512
162b5097c407746d61c1c754054bdba27cf6e0cdaca314685f833ccefaba5216611ffcffb5d4798776b871cde6cbbc4010cdadf3efa43a63a3e89d93b9b935f5
-
SSDEEP
6144:/rTfUHeeSKOS9ccFKk3Y9t9YZj524k2DgvyHA:/n8yN0Mr8ZFGwov
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Isass.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c95e67da84009169ba495d2dc2e240c0N.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c95e67da84009169ba495d2dc2e240c0N.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c95e67da84009169ba495d2dc2e240c0N.exe -
Executes dropped EXE 8 IoCs
Processes:
Isass.exeIsass.exeIsass.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeomsecor.exeomsecor.exeomsecor.exepid process 3716 Isass.exe 2396 Isass.exe 2468 Isass.exe 1808 Isass.exe 2672 c95e67da84009169ba495d2dc2e240c0N.exe 4468 omsecor.exe 3808 omsecor.exe 4944 omsecor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/2672-33-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4468-36-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4468-47-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4468-60-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4468-67-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/4468-71-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/3808-76-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4944-86-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c95e67da84009169ba495d2dc2e240c0N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" c95e67da84009169ba495d2dc2e240c0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" c95e67da84009169ba495d2dc2e240c0N.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c95e67da84009169ba495d2dc2e240c0N.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exeomsecor.exeomsecor.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exeIsass.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c95e67da84009169ba495d2dc2e240c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c95e67da84009169ba495d2dc2e240c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c95e67da84009169ba495d2dc2e240c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c95e67da84009169ba495d2dc2e240c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
c95e67da84009169ba495d2dc2e240c0N.exeIsass.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exepid process 4984 c95e67da84009169ba495d2dc2e240c0N.exe 4984 c95e67da84009169ba495d2dc2e240c0N.exe 3716 Isass.exe 3716 Isass.exe 2396 Isass.exe 2396 Isass.exe 2396 Isass.exe 2396 Isass.exe 2396 Isass.exe 2396 Isass.exe 2640 c95e67da84009169ba495d2dc2e240c0N.exe 2640 c95e67da84009169ba495d2dc2e240c0N.exe 2468 Isass.exe 2468 Isass.exe 2468 Isass.exe 2468 Isass.exe 2468 Isass.exe 2468 Isass.exe 2164 c95e67da84009169ba495d2dc2e240c0N.exe 2164 c95e67da84009169ba495d2dc2e240c0N.exe 1808 Isass.exe 1808 Isass.exe 1808 Isass.exe 1808 Isass.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
c95e67da84009169ba495d2dc2e240c0N.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeIsass.exec95e67da84009169ba495d2dc2e240c0N.exeomsecor.exeomsecor.exedescription pid process target process PID 4984 wrote to memory of 3716 4984 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 4984 wrote to memory of 3716 4984 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 4984 wrote to memory of 3716 4984 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 4984 wrote to memory of 2396 4984 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 4984 wrote to memory of 2396 4984 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 4984 wrote to memory of 2396 4984 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2396 wrote to memory of 2640 2396 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2396 wrote to memory of 2640 2396 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2396 wrote to memory of 2640 2396 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2640 wrote to memory of 2468 2640 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2640 wrote to memory of 2468 2640 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2640 wrote to memory of 2468 2640 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2468 wrote to memory of 2164 2468 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2468 wrote to memory of 2164 2468 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2468 wrote to memory of 2164 2468 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2164 wrote to memory of 1808 2164 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2164 wrote to memory of 1808 2164 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 2164 wrote to memory of 1808 2164 c95e67da84009169ba495d2dc2e240c0N.exe Isass.exe PID 1808 wrote to memory of 2672 1808 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 1808 wrote to memory of 2672 1808 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 1808 wrote to memory of 2672 1808 Isass.exe c95e67da84009169ba495d2dc2e240c0N.exe PID 2672 wrote to memory of 4468 2672 c95e67da84009169ba495d2dc2e240c0N.exe omsecor.exe PID 2672 wrote to memory of 4468 2672 c95e67da84009169ba495d2dc2e240c0N.exe omsecor.exe PID 2672 wrote to memory of 4468 2672 c95e67da84009169ba495d2dc2e240c0N.exe omsecor.exe PID 4468 wrote to memory of 3808 4468 omsecor.exe omsecor.exe PID 4468 wrote to memory of 3808 4468 omsecor.exe omsecor.exe PID 4468 wrote to memory of 3808 4468 omsecor.exe omsecor.exe PID 3808 wrote to memory of 4944 3808 omsecor.exe omsecor.exe PID 3808 wrote to memory of 4944 3808 omsecor.exe omsecor.exe PID 3808 wrote to memory of 4944 3808 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3716
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"C:\Users\Admin\AppData\Local\Temp\c95e67da84009169ba495d2dc2e240c0N.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4944
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737KB
MD5e9bd2d1d0c612ef4375fdec99b526282
SHA1a2d836daf8fe264a0e5e07d2fa4f350a025b751d
SHA2564154b4494a5542dee7924a9ddacee0fcb3aaf2532d2c675c14e494993e06493b
SHA512628504edade4b608d36eded95381c02ce7c81203b0adc67e9788c5b5c9b54c4a735e0efad4c399c6ab54ea446c33dfbe44441eac9b5f3a370be6a7aab3146d32
-
Filesize
35KB
MD550fe69e9c49802d005038522f81e9b06
SHA1276d8f126ebe06549320d7e324f9e105222d209c
SHA25672f771647913744c8d3fa98f345b883cfe62ac773363e56d4d08f66fbf0a00db
SHA51217f6065960e7e54ef24ed2f4f82cd0f92d65aba0aaaac409dbba5b5a9802d7f604a8d4a40e24e1481cbcc5338ccb26b7fea171f2892e4cd1a02fd5b44bb1a7b2
-
Filesize
35KB
MD567b56a5fecd2e6a6598c5d36ba8a40d5
SHA1dd868ba6efb13ff044dee1b5f78d6966d63f7422
SHA256c95a8282e4d1c03e38b530ee82a7d761f7091e2edc91c77fc943e955e442610e
SHA5126df322eccbe17d29388215a7ca49edc1047c97ffe006b1e5f47b05554070bb9e01dff131bdd13e16059d7eb55d6c18628f9639b5faf63c08ce23571b317658ba
-
Filesize
35KB
MD5eb3067223b4757bf1b5625b42bae143f
SHA18af5f650e7e3cd05fa02b4ab48d48fd3bde187d7
SHA25616f8f0613d5e0189bc968c4f04c8da809d6ed4b6f38da07a7fb7c9655280288c
SHA512ed2c615adad78f09ed2e8a5125c5072de3433e47e697ab7c51d3d28e78fcaac7f4459d48cd1f7459c71adeffdeb53b901c7558e848836d6bb0e91e729e51fef7
-
Filesize
261KB
MD59ee3aea20fa8de7b19353aef20d64baf
SHA117926e9fd3e1f03574c94f94cdccd2845fb952a2
SHA256c6deded1772c32340199c3affea29a61834c3bedf5ab7c5da19aa9ce42dae858
SHA5124a1d96700f744752862370144b2f74123cef3ffe489a200354c7cd31e52052dcf53b2bea9aad067192fec5f9c610e023f69976768e9cd08b5b53dc5d5fbab767
-
Filesize
35KB
MD5933a5e25533ef7178f519bde6a836ac5
SHA180302ecb5940a14030c57760a44baf3271dd143a
SHA256876744e5adbe38d9dc8e20239166912add97f6c4ffbf4d8f003df1fc46cc9513
SHA512c19e745e36750d8c351d1e666ab80e2f75731d0c264d051b481581a8c25f56747955f1787f506707ba1be0dc5ed196a6cd7c4f16aaf9588ddffa4acd0d8f9439