Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 23:07
Behavioral task
behavioral1
Sample
8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe
Resource
win7-20240704-en
General
-
Target
8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe
-
Size
76KB
-
MD5
37c81df7c6270c8129624a139fedeb6a
-
SHA1
c87aec5e390a761a6c0a9b2112bc3ebc286abbc2
-
SHA256
8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef
-
SHA512
ad0d2512c07eeb31bef0ec35767e2d977899ead864eefbe75c1f626fc88c0ad491694a94aa4b2219353cc94fb1ef5520c9aabb49c496bf631b8c2e526d1e0fef
-
SSDEEP
1536:td9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11:FdseIOMEZEyFjEOFqaiQm5l/5w11
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4132 omsecor.exe 2972 omsecor.exe 4056 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exe8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exeomsecor.exeomsecor.exedescription pid process target process PID 3884 wrote to memory of 4132 3884 8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe omsecor.exe PID 3884 wrote to memory of 4132 3884 8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe omsecor.exe PID 3884 wrote to memory of 4132 3884 8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe omsecor.exe PID 4132 wrote to memory of 2972 4132 omsecor.exe omsecor.exe PID 4132 wrote to memory of 2972 4132 omsecor.exe omsecor.exe PID 4132 wrote to memory of 2972 4132 omsecor.exe omsecor.exe PID 2972 wrote to memory of 4056 2972 omsecor.exe omsecor.exe PID 2972 wrote to memory of 4056 2972 omsecor.exe omsecor.exe PID 2972 wrote to memory of 4056 2972 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe"C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3264,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:81⤵PID:3832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5ab71a4a98b9644ff6eec661a494600bd
SHA1b68be8ec60b9e611d89f88ec1bb1f03fea0ec9b7
SHA256c9d29e7d341f9b19231cbd9114449fc4c50259c04f4f5c200a1aef641614bdd4
SHA512a078dc171f8439b5e6dc49ba7d0033b1b1a86db113ff801aac76a2af1dbc2b27e4f4dda6a0e1135a04b193b33fb1d3c33e62f2352af9941ab286ac2b4537f781
-
Filesize
76KB
MD57d42898196a1ec95d4d0ee5cf5b4404b
SHA1c8d54ad4938e4258f2891cc6aca33d0ab4e042a0
SHA256820483cd845697e6950cc73974cc181cdd75ba57b1bfc4fe45ea94b1307fa422
SHA512ab3c0616f1d21bba15bfdad90245375a8046093b26a920c9e36f6257dc60d0e8f404b4d0d3ab7f37fc1240cad87bc83de807e45cf510522573c79738d7813893
-
Filesize
76KB
MD528c61edab89fa05569a2b18c46373299
SHA175f02b10a83c52fc14f4567db60a6189e4b01747
SHA256201c83b0abf8edd643f13dc2d7002e363d3c24c267e923a730ca36b06899eccb
SHA512fcba8e1d239f5eb687f0601e01e86190d7663b94fdb6f900eb60e8d8a9decfc947a2854f02f7a80d4a1fb6eca0b82fe941e0d3260ffe278e047b70d9c1ae0777