Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 05:50
Static task
static1
Behavioral task
behavioral1
Sample
20cf26a21e2369301dc9074311243430N.exe
Resource
win7-20240704-en
General
-
Target
20cf26a21e2369301dc9074311243430N.exe
-
Size
33KB
-
MD5
20cf26a21e2369301dc9074311243430
-
SHA1
178b8933ecaf6919e4bec3844bb138ddbc67412c
-
SHA256
3343e7feb1c5fbcdfb52fb8194c669177c7b784794c5253fe33b213e59835794
-
SHA512
c57fb0ed25165dd925b485c9eaebd40424052afa11d1af9a5cc3c16202eebc5911f5f3fecc9705fc085c389ee990eaf94400d68174be42835179ddf057615bd9
-
SSDEEP
768:OfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:OfVRztyHo8QNHTk0qE5fslvN/956q
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 4380 omsecor.exe 5064 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
20cf26a21e2369301dc9074311243430N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20cf26a21e2369301dc9074311243430N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
20cf26a21e2369301dc9074311243430N.exeomsecor.exedescription pid process target process PID 2976 wrote to memory of 4380 2976 20cf26a21e2369301dc9074311243430N.exe omsecor.exe PID 2976 wrote to memory of 4380 2976 20cf26a21e2369301dc9074311243430N.exe omsecor.exe PID 2976 wrote to memory of 4380 2976 20cf26a21e2369301dc9074311243430N.exe omsecor.exe PID 4380 wrote to memory of 5064 4380 omsecor.exe omsecor.exe PID 4380 wrote to memory of 5064 4380 omsecor.exe omsecor.exe PID 4380 wrote to memory of 5064 4380 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20cf26a21e2369301dc9074311243430N.exe"C:\Users\Admin\AppData\Local\Temp\20cf26a21e2369301dc9074311243430N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5064
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD536e09929e35c9c312c6b2e069c7233ea
SHA1c8f452a4fc4c078dba3e529906818313332fc846
SHA2565e84bbeedf022d819371d3c4d643671d2db2444e65b8ad7cd7df6921096e2b7b
SHA51253f4b9aea01e3c6f453bdc9e51ae0f7a9c39c03d7b32aa9a0b348c1bc959939c00b0e1fa0a1c6d7d2c180e9537a63e22400f3d60bbdeec3360545679ebf5d473
-
Filesize
33KB
MD5fcb79404391d581636891bd8180ba45f
SHA1a96a74f2f0a09c8ca546833beec6da420e87e03c
SHA256713fe7dddc3e5f29935b2b1e9b34478ace82dd3277792c9b41d62667974a0a77
SHA5128ce0b8e24adfa352c6f3c7d2d9940896be6290e3da30e66d8eb5f996b903802e5bbfe9275bab44bc1517651d5a769f7f42711ed66150ca514a52e088b9516a1d