Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 05:58
Static task
static1
Behavioral task
behavioral1
Sample
5b002622f8369ec9e804b185e9376fc0N.exe
Resource
win7-20240704-en
General
-
Target
5b002622f8369ec9e804b185e9376fc0N.exe
-
Size
96KB
-
MD5
5b002622f8369ec9e804b185e9376fc0
-
SHA1
4d077d57f02736b585f5a72c7625905b856dcfb2
-
SHA256
0499beff84adc41da5dd97694023640d8fe1206730d8100ab5603b282af9e794
-
SHA512
438d707898c5006cbbfc73fef6e0507deff238d90c75601fab5d16c28faef76f8fc4de7f463b6ac1ec825d5bbc9e5a4179678aacaa9223b8f9ba9dd4155992bc
-
SSDEEP
1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:LGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 3256 omsecor.exe 1276 omsecor.exe 4288 omsecor.exe 3524 omsecor.exe 3624 omsecor.exe 4820 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
5b002622f8369ec9e804b185e9376fc0N.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2052 set thread context of 2384 2052 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 3256 set thread context of 1276 3256 omsecor.exe omsecor.exe PID 4288 set thread context of 3524 4288 omsecor.exe omsecor.exe PID 3624 set thread context of 4820 3624 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3828 2052 WerFault.exe 5b002622f8369ec9e804b185e9376fc0N.exe 804 3256 WerFault.exe omsecor.exe 4904 4288 WerFault.exe omsecor.exe 3608 3624 WerFault.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exeomsecor.exe5b002622f8369ec9e804b185e9376fc0N.exe5b002622f8369ec9e804b185e9376fc0N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b002622f8369ec9e804b185e9376fc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b002622f8369ec9e804b185e9376fc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
5b002622f8369ec9e804b185e9376fc0N.exe5b002622f8369ec9e804b185e9376fc0N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2052 wrote to memory of 2384 2052 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2052 wrote to memory of 2384 2052 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2052 wrote to memory of 2384 2052 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2052 wrote to memory of 2384 2052 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2052 wrote to memory of 2384 2052 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2384 wrote to memory of 3256 2384 5b002622f8369ec9e804b185e9376fc0N.exe omsecor.exe PID 2384 wrote to memory of 3256 2384 5b002622f8369ec9e804b185e9376fc0N.exe omsecor.exe PID 2384 wrote to memory of 3256 2384 5b002622f8369ec9e804b185e9376fc0N.exe omsecor.exe PID 3256 wrote to memory of 1276 3256 omsecor.exe omsecor.exe PID 3256 wrote to memory of 1276 3256 omsecor.exe omsecor.exe PID 3256 wrote to memory of 1276 3256 omsecor.exe omsecor.exe PID 3256 wrote to memory of 1276 3256 omsecor.exe omsecor.exe PID 3256 wrote to memory of 1276 3256 omsecor.exe omsecor.exe PID 1276 wrote to memory of 4288 1276 omsecor.exe omsecor.exe PID 1276 wrote to memory of 4288 1276 omsecor.exe omsecor.exe PID 1276 wrote to memory of 4288 1276 omsecor.exe omsecor.exe PID 4288 wrote to memory of 3524 4288 omsecor.exe omsecor.exe PID 4288 wrote to memory of 3524 4288 omsecor.exe omsecor.exe PID 4288 wrote to memory of 3524 4288 omsecor.exe omsecor.exe PID 4288 wrote to memory of 3524 4288 omsecor.exe omsecor.exe PID 4288 wrote to memory of 3524 4288 omsecor.exe omsecor.exe PID 3524 wrote to memory of 3624 3524 omsecor.exe omsecor.exe PID 3524 wrote to memory of 3624 3524 omsecor.exe omsecor.exe PID 3524 wrote to memory of 3624 3524 omsecor.exe omsecor.exe PID 3624 wrote to memory of 4820 3624 omsecor.exe omsecor.exe PID 3624 wrote to memory of 4820 3624 omsecor.exe omsecor.exe PID 3624 wrote to memory of 4820 3624 omsecor.exe omsecor.exe PID 3624 wrote to memory of 4820 3624 omsecor.exe omsecor.exe PID 3624 wrote to memory of 4820 3624 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe"C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exeC:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 2688⤵
- Program crash
PID:3608
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 3006⤵
- Program crash
PID:4904
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 3004⤵
- Program crash
PID:804
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 2722⤵
- Program crash
PID:3828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2052 -ip 20521⤵PID:668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3256 -ip 32561⤵PID:2004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4288 -ip 42881⤵PID:3284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3624 -ip 36241⤵PID:3668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5bf40239ec8612f010e1b9d8afd8b367f
SHA14c37a049d35a30425e531cf69aacdaa873763b93
SHA256beb1d3e34b02e40e618ada2de92dddde6cfef48dd668476d802573666d70e0c1
SHA51231437f2f3685848b6fb40e41bac3ec54ba7029a6877faf85b970ca579ddc390f24c32db14918d3d90a19c371a7737d16263fa85c3f537502dba5671390eeea97
-
Filesize
96KB
MD5aca1022c081ce186ae4b4d4579efd1d2
SHA1c58f4d4ce2e1eeaeb24a0e24d945fcefdf97c621
SHA25690a7ae08a40fc047bce158a671b79bc36c12c081c3fbc87e4cf5d844b3ae71a2
SHA5122b2754bfdbea3257647294b4f1bd40c1ea2a14a0113a357ef4d995b3d45c6f758edcd4bbb135644106577d9c2a3507e61deadbb724ca6fe01c7ac82699731892
-
Filesize
96KB
MD5ae66a33cecf1abb3781aa9c4b3453c59
SHA137f03df8d8688f9aa25922ffd34ee28642227ef4
SHA256edb895c723283d58116c4202108d1ec47a41e2549058d261ddef220795aee634
SHA5123c6499bd81344d333ec2b64669b90dc0732413a56cc17965670d1e178a5d239f1faee57b4be71269e2ae0a259aa19afbc080d0b3afdf916493e896ae0bdaa200