Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 09:09
Behavioral task
behavioral1
Sample
759b81d87e3790c1e1a5eb0e8ca191c0N.exe
Resource
win7-20240704-en
General
-
Target
759b81d87e3790c1e1a5eb0e8ca191c0N.exe
-
Size
71KB
-
MD5
759b81d87e3790c1e1a5eb0e8ca191c0
-
SHA1
187790f1e2c75ef8fad872b78e60337e01a5ec93
-
SHA256
d53e63679f7902887c20b9587c6ac16fbce6f22b4b3d918027644217908fdabe
-
SHA512
102e5e6822b9da768f6e9b2a4b7de2cb2eb956bb4c92fd4372147dab7f705f0ae90ee2ec3baafef80f43d79d7a8d51427632bbc5984bd0331bf5acbc506a4cff
-
SSDEEP
1536:ed9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:GdseIOMEZEyFjEOFqTiQmQDHIbH
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4720 omsecor.exe 448 omsecor.exe 4524 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exe759b81d87e3790c1e1a5eb0e8ca191c0N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 759b81d87e3790c1e1a5eb0e8ca191c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
759b81d87e3790c1e1a5eb0e8ca191c0N.exeomsecor.exeomsecor.exedescription pid process target process PID 3924 wrote to memory of 4720 3924 759b81d87e3790c1e1a5eb0e8ca191c0N.exe omsecor.exe PID 3924 wrote to memory of 4720 3924 759b81d87e3790c1e1a5eb0e8ca191c0N.exe omsecor.exe PID 3924 wrote to memory of 4720 3924 759b81d87e3790c1e1a5eb0e8ca191c0N.exe omsecor.exe PID 4720 wrote to memory of 448 4720 omsecor.exe omsecor.exe PID 4720 wrote to memory of 448 4720 omsecor.exe omsecor.exe PID 4720 wrote to memory of 448 4720 omsecor.exe omsecor.exe PID 448 wrote to memory of 4524 448 omsecor.exe omsecor.exe PID 448 wrote to memory of 4524 448 omsecor.exe omsecor.exe PID 448 wrote to memory of 4524 448 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe"C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4524
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:81⤵PID:3368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5cb326e1b4a9fa3d997349b174f99131c
SHA186b522fbeff8c3f761e2370a95d40c7af22903aa
SHA2564f11dc9bbee10a12cf044922b2062045cf78ddc4a50a9eec8d528474ff227b24
SHA5122fe9df11f516069b7e49090489d2b4919cb9963d0b1b6bd0132532131cbabe9199ba236746640a168781d2a7f19bee3198e3f43d175b91bb505698def5027b88
-
Filesize
71KB
MD5b2eff1323a1ffb0533429e2da8a9642d
SHA19aa55585d58ce023f3e47922f82f8febd775de29
SHA256b964fcd6f67c044c652090cf821b8f1fd1cc7956d38f5feccaf62e773d61b68d
SHA512d5ede1b0aaef977c79e16ec5e7401a241e53471d7ce8d4efb0c6453560e7dadbb766da36d4d546b7657b282804374da9052c869756e94dd01e1f765b6a5b50b7
-
Filesize
71KB
MD531c6957d8312e2057c6e0a72c9a47c78
SHA16d9f529475d2a434f9419c913dd205e4d04cddfd
SHA256109bfd75427bb5720960d0ea204186b0eb93440da83ca1985cf24ef63322fa2f
SHA512e14be9f6355beb4dbcb9f4fa14fa3ed01eb86bcddef115fc7999e1bfc50ce5641313f36b7813ff45888149b2aaa80538461d54481fd8e4c9ac98597f46e4cb76