Analysis
-
max time kernel
116s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 21:44
Behavioral task
behavioral1
Sample
d9bae2c5b0211e4af81d661f5497bb10N.exe
Resource
win7-20240708-en
General
-
Target
d9bae2c5b0211e4af81d661f5497bb10N.exe
-
Size
35KB
-
MD5
d9bae2c5b0211e4af81d661f5497bb10
-
SHA1
9ed10a2d5a856f769b4e512c7169cfb36471305e
-
SHA256
13221c391e1e8abb8d39a31c1ecdc3d09f275c84cde02dc8511e0ca599f86e94
-
SHA512
1547c2a99c45d1b7cc7a2b77df17a01471a432ae68b4efd16890fea1479a46961dca123c3a66f5f1a5c052bc4d5e7739c9267a29b2d1ef4850de65c7a223c28f
-
SSDEEP
768:j6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:e8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 3620 omsecor.exe 1696 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/2104-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/3620-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2104-6-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3620-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3620-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3620-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3620-15-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/1696-19-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3620-22-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1696-23-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d9bae2c5b0211e4af81d661f5497bb10N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9bae2c5b0211e4af81d661f5497bb10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d9bae2c5b0211e4af81d661f5497bb10N.exeomsecor.exedescription pid process target process PID 2104 wrote to memory of 3620 2104 d9bae2c5b0211e4af81d661f5497bb10N.exe omsecor.exe PID 2104 wrote to memory of 3620 2104 d9bae2c5b0211e4af81d661f5497bb10N.exe omsecor.exe PID 2104 wrote to memory of 3620 2104 d9bae2c5b0211e4af81d661f5497bb10N.exe omsecor.exe PID 3620 wrote to memory of 1696 3620 omsecor.exe omsecor.exe PID 3620 wrote to memory of 1696 3620 omsecor.exe omsecor.exe PID 3620 wrote to memory of 1696 3620 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe"C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD528e15ebe825005fa203f31f0796e4fd3
SHA14439062f9b11086cf495e71d500984434769fea1
SHA256b2d7505c13ffbe51445530ddd84af467a855bb116707ffffb47b453da45db7d0
SHA5123937b4f343f96255b287a3d6d7f70f2013cdba9f57664ed168cfc2e173d663b1640c46974ecaac877cf233849dd6d4cd6b0ec627d26258ba76ba708affa60fac
-
Filesize
35KB
MD5d58b7e408931fbaac3331d618336a931
SHA10b081282afbb774fd9ca9f0b6362dc23ae275b1b
SHA2567cbd13ce9246de2b55583f0ad6f06b90153bce7ad19fafa509e85300958efbf6
SHA5127fea48dd1446665123a19145af1e523ebd846e381c20c40b91a02bee041923da2c1b143ab329ec71d2fd2758ddf5ec08669e074a40c7eed88c8b00f8cf4fa79b