Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 23:16
Behavioral task
behavioral1
Sample
ab4dedf6e12a49ee8bedf85b3203a7f0N.exe
Resource
win7-20240705-en
General
-
Target
ab4dedf6e12a49ee8bedf85b3203a7f0N.exe
-
Size
90KB
-
MD5
ab4dedf6e12a49ee8bedf85b3203a7f0
-
SHA1
a32da655f101dfb2ac73a963fc72f5d17cd07206
-
SHA256
3203cfa8739f2b1fa705f3230662cbcf868a71f43df5d0b4d31582d89ab9c926
-
SHA512
ab5dafc1cdef7bc391a345333bf954aed47d2f12fb2d707ddad70b9e0abf54d8ccc45688b3dce8ec7b4c25343f40674a6b1ffed0af93a646dd4b90926967eda5
-
SSDEEP
768:jMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA:jbIvYvZEyFKF6N4aS5AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4456 omsecor.exe 4780 omsecor.exe 3684 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ab4dedf6e12a49ee8bedf85b3203a7f0N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab4dedf6e12a49ee8bedf85b3203a7f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ab4dedf6e12a49ee8bedf85b3203a7f0N.exeomsecor.exeomsecor.exedescription pid process target process PID 1304 wrote to memory of 4456 1304 ab4dedf6e12a49ee8bedf85b3203a7f0N.exe omsecor.exe PID 1304 wrote to memory of 4456 1304 ab4dedf6e12a49ee8bedf85b3203a7f0N.exe omsecor.exe PID 1304 wrote to memory of 4456 1304 ab4dedf6e12a49ee8bedf85b3203a7f0N.exe omsecor.exe PID 4456 wrote to memory of 4780 4456 omsecor.exe omsecor.exe PID 4456 wrote to memory of 4780 4456 omsecor.exe omsecor.exe PID 4456 wrote to memory of 4780 4456 omsecor.exe omsecor.exe PID 4780 wrote to memory of 3684 4780 omsecor.exe omsecor.exe PID 4780 wrote to memory of 3684 4780 omsecor.exe omsecor.exe PID 4780 wrote to memory of 3684 4780 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab4dedf6e12a49ee8bedf85b3203a7f0N.exe"C:\Users\Admin\AppData\Local\Temp\ab4dedf6e12a49ee8bedf85b3203a7f0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD566151d6d015148fcd23bf666f63eeee7
SHA1534df2939abe74d5a26bbc2e2793f9117044391d
SHA256e70f9a70a3e0079bd80120ad78655ca4bab52b5786036fbdeb27bb91004004c9
SHA51236c79f6ee049c11ab5223acbb471ab8b667b5a79be8dbd1932f885fe5ea7940d21165f88e6257e904e498b9a2bc61db988510c73825e763b3cdb32fedb8584a7
-
Filesize
90KB
MD5f552ca15710cf1d95beac0800a810cbe
SHA1e3d36705c8b209ca3b5c1cb06d82643218b4d817
SHA256e3024e531e8aa641f159d9094a61fdb6b55d4dc4452879272bc6d5c206abe646
SHA512f10ba157f391c41771fd2615088e5c58343e807dc43f704d44c1eef93728bea2de92b7643bc24832264eace531cf33808e6a1c3e9fc66538ea19845fa1b27065
-
Filesize
90KB
MD56833d47df5d0f3251a96d079fce616dd
SHA19c3a96c1b848527c9bf7fe5bc6ac23b63c618fc6
SHA256b82eab4b1694a0eba914d11cbb69e403d254e32ac00c5be1f1c0562a78938d88
SHA51212c3a3c109426dad12488cfe856f2e3fd0e737c2ea3fff70234a069f10c5e14eb27a579b76a04dda142983aa09714c1ce97b6315e13fef734831ff553acc857f