Analysis
-
max time kernel
116s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 06:54
Static task
static1
Behavioral task
behavioral1
Sample
43f1333d880fc73b01ecd2d0ebbd3370N.exe
Resource
win7-20240705-en
General
-
Target
43f1333d880fc73b01ecd2d0ebbd3370N.exe
-
Size
134KB
-
MD5
43f1333d880fc73b01ecd2d0ebbd3370
-
SHA1
936df6890c1dc0bfad6f0ba0c517ee4ff028b6cc
-
SHA256
dc6e701613bc61254f3f02b3e584e7462444789940d3727280086a8cebeef89a
-
SHA512
b50eeb6948ed7c58f32054b008e334e3c05be438e3958ee0e301cc27ad2b6b9844d61828fc470dd93c9b9110f9213517f58e4507d32baa1b31224b9db2ddf7e8
-
SSDEEP
1536:oDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:OiRTeH0NqAW6J6f1tqF6dngNmaZC7M
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2712 omsecor.exe 3272 omsecor.exe 1944 omsecor.exe 4692 omsecor.exe 2764 omsecor.exe 1832 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
43f1333d880fc73b01ecd2d0ebbd3370N.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 1116 set thread context of 3916 1116 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 2712 set thread context of 3272 2712 omsecor.exe omsecor.exe PID 1944 set thread context of 4692 1944 omsecor.exe omsecor.exe PID 2764 set thread context of 1832 2764 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2024 1116 WerFault.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe 1916 2712 WerFault.exe omsecor.exe 1224 1944 WerFault.exe omsecor.exe 872 2764 WerFault.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
43f1333d880fc73b01ecd2d0ebbd3370N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe43f1333d880fc73b01ecd2d0ebbd3370N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43f1333d880fc73b01ecd2d0ebbd3370N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43f1333d880fc73b01ecd2d0ebbd3370N.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
43f1333d880fc73b01ecd2d0ebbd3370N.exe43f1333d880fc73b01ecd2d0ebbd3370N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 1116 wrote to memory of 3916 1116 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 1116 wrote to memory of 3916 1116 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 1116 wrote to memory of 3916 1116 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 1116 wrote to memory of 3916 1116 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 1116 wrote to memory of 3916 1116 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 3916 wrote to memory of 2712 3916 43f1333d880fc73b01ecd2d0ebbd3370N.exe omsecor.exe PID 3916 wrote to memory of 2712 3916 43f1333d880fc73b01ecd2d0ebbd3370N.exe omsecor.exe PID 3916 wrote to memory of 2712 3916 43f1333d880fc73b01ecd2d0ebbd3370N.exe omsecor.exe PID 2712 wrote to memory of 3272 2712 omsecor.exe omsecor.exe PID 2712 wrote to memory of 3272 2712 omsecor.exe omsecor.exe PID 2712 wrote to memory of 3272 2712 omsecor.exe omsecor.exe PID 2712 wrote to memory of 3272 2712 omsecor.exe omsecor.exe PID 2712 wrote to memory of 3272 2712 omsecor.exe omsecor.exe PID 3272 wrote to memory of 1944 3272 omsecor.exe omsecor.exe PID 3272 wrote to memory of 1944 3272 omsecor.exe omsecor.exe PID 3272 wrote to memory of 1944 3272 omsecor.exe omsecor.exe PID 1944 wrote to memory of 4692 1944 omsecor.exe omsecor.exe PID 1944 wrote to memory of 4692 1944 omsecor.exe omsecor.exe PID 1944 wrote to memory of 4692 1944 omsecor.exe omsecor.exe PID 1944 wrote to memory of 4692 1944 omsecor.exe omsecor.exe PID 1944 wrote to memory of 4692 1944 omsecor.exe omsecor.exe PID 4692 wrote to memory of 2764 4692 omsecor.exe omsecor.exe PID 4692 wrote to memory of 2764 4692 omsecor.exe omsecor.exe PID 4692 wrote to memory of 2764 4692 omsecor.exe omsecor.exe PID 2764 wrote to memory of 1832 2764 omsecor.exe omsecor.exe PID 2764 wrote to memory of 1832 2764 omsecor.exe omsecor.exe PID 2764 wrote to memory of 1832 2764 omsecor.exe omsecor.exe PID 2764 wrote to memory of 1832 2764 omsecor.exe omsecor.exe PID 2764 wrote to memory of 1832 2764 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43f1333d880fc73b01ecd2d0ebbd3370N.exe"C:\Users\Admin\AppData\Local\Temp\43f1333d880fc73b01ecd2d0ebbd3370N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\43f1333d880fc73b01ecd2d0ebbd3370N.exeC:\Users\Admin\AppData\Local\Temp\43f1333d880fc73b01ecd2d0ebbd3370N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 2568⤵
- Program crash
PID:872
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 2926⤵
- Program crash
PID:1224
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 2884⤵
- Program crash
PID:1916
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 2882⤵
- Program crash
PID:2024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1116 -ip 11161⤵PID:4300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2712 -ip 27121⤵PID:4188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1944 -ip 19441⤵PID:2816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2764 -ip 27641⤵PID:4564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD513c0f95243bc1d501f9b8eec370f5942
SHA10946eb0c861e715407cc767dd547a82312edb279
SHA256f3b26927e40f90459a78c25d9facea12ab8ba425738bafbeec685544df6f6071
SHA512f09a5e959f171205747f551e51f859027ebb5177138b89041db54208bf0749a94a9c5a52cdc46266422bb5fc68158b3bcd13d9a64f5a0040624a8c62dc057edb
-
Filesize
134KB
MD53d7b5d84e8b2c05e47f7240af033ee95
SHA1828a693d9127233cf978d1b9a42a4ae2c04f2ea3
SHA256584d5fec78e14082ecd0f8ec1c823265c088d6bdaf66fb3bd6f2c3eb88937d86
SHA512a113268f1ae48eb99df56335e2688c3b1fcb20d05bad4831c85e0fba5d7addfd96db3364a3c8a6e3ba33127709f4e4e3ba3dd0b5ff67f5674690396eb21de8ba
-
Filesize
134KB
MD579e9a8fb680fe7636871e4bbfdb83f05
SHA1bef4d34e0bedccd1cb7ff929581d4403cf9d4154
SHA256d449ed7d9735c38a6aa75a5729f148bd221200ca81be336f19a5442f38b66c7f
SHA51221254d90ee39ec3248d8b19238b91fa2c9141578372d602641786dddc2b7801422847dc412632aaa5b2485d50bfd03ae1eaa6cc0e67e531f6d426b4a98f3186a