Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 09:15
Static task
static1
Behavioral task
behavioral1
Sample
2b7b7ff52de860b729fdf80c48091be0N.exe
Resource
win7-20240705-en
General
-
Target
2b7b7ff52de860b729fdf80c48091be0N.exe
-
Size
134KB
-
MD5
2b7b7ff52de860b729fdf80c48091be0
-
SHA1
ea9926aff20c7767152a41cd9755009146aeae8f
-
SHA256
b06d7cd428c59e8ed614c3bf2475cadb03e6d20299fca47fd545fe5f7993be37
-
SHA512
2df0b1699abb5bea2a5ee8cd5712c6e4a9fb5e8ffb79283be529ffb1bbbe72eee4c82db89f35f5ec1d529285d87f25f9c7787235648f66b62f7eea7f7fa5e967
-
SSDEEP
1536:sDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:SiRTeH0NqAW6J6f1tqF6dngNmaZC7M
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 4996 omsecor.exe 396 omsecor.exe 3544 omsecor.exe 2916 omsecor.exe 4832 omsecor.exe 3540 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
2b7b7ff52de860b729fdf80c48091be0N.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 3924 set thread context of 4200 3924 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 4996 set thread context of 396 4996 omsecor.exe omsecor.exe PID 3544 set thread context of 2916 3544 omsecor.exe omsecor.exe PID 4832 set thread context of 3540 4832 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 712 3924 WerFault.exe 2b7b7ff52de860b729fdf80c48091be0N.exe 3988 4996 WerFault.exe omsecor.exe 4320 3544 WerFault.exe omsecor.exe 3572 4832 WerFault.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exe2b7b7ff52de860b729fdf80c48091be0N.exe2b7b7ff52de860b729fdf80c48091be0N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b7b7ff52de860b729fdf80c48091be0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b7b7ff52de860b729fdf80c48091be0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
2b7b7ff52de860b729fdf80c48091be0N.exe2b7b7ff52de860b729fdf80c48091be0N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 3924 wrote to memory of 4200 3924 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 3924 wrote to memory of 4200 3924 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 3924 wrote to memory of 4200 3924 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 3924 wrote to memory of 4200 3924 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 3924 wrote to memory of 4200 3924 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 4200 wrote to memory of 4996 4200 2b7b7ff52de860b729fdf80c48091be0N.exe omsecor.exe PID 4200 wrote to memory of 4996 4200 2b7b7ff52de860b729fdf80c48091be0N.exe omsecor.exe PID 4200 wrote to memory of 4996 4200 2b7b7ff52de860b729fdf80c48091be0N.exe omsecor.exe PID 4996 wrote to memory of 396 4996 omsecor.exe omsecor.exe PID 4996 wrote to memory of 396 4996 omsecor.exe omsecor.exe PID 4996 wrote to memory of 396 4996 omsecor.exe omsecor.exe PID 4996 wrote to memory of 396 4996 omsecor.exe omsecor.exe PID 4996 wrote to memory of 396 4996 omsecor.exe omsecor.exe PID 396 wrote to memory of 3544 396 omsecor.exe omsecor.exe PID 396 wrote to memory of 3544 396 omsecor.exe omsecor.exe PID 396 wrote to memory of 3544 396 omsecor.exe omsecor.exe PID 3544 wrote to memory of 2916 3544 omsecor.exe omsecor.exe PID 3544 wrote to memory of 2916 3544 omsecor.exe omsecor.exe PID 3544 wrote to memory of 2916 3544 omsecor.exe omsecor.exe PID 3544 wrote to memory of 2916 3544 omsecor.exe omsecor.exe PID 3544 wrote to memory of 2916 3544 omsecor.exe omsecor.exe PID 2916 wrote to memory of 4832 2916 omsecor.exe omsecor.exe PID 2916 wrote to memory of 4832 2916 omsecor.exe omsecor.exe PID 2916 wrote to memory of 4832 2916 omsecor.exe omsecor.exe PID 4832 wrote to memory of 3540 4832 omsecor.exe omsecor.exe PID 4832 wrote to memory of 3540 4832 omsecor.exe omsecor.exe PID 4832 wrote to memory of 3540 4832 omsecor.exe omsecor.exe PID 4832 wrote to memory of 3540 4832 omsecor.exe omsecor.exe PID 4832 wrote to memory of 3540 4832 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe"C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exeC:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 2608⤵
- Program crash
PID:3572
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 2926⤵
- Program crash
PID:4320
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 2884⤵
- Program crash
PID:3988
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 2882⤵
- Program crash
PID:712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3924 -ip 39241⤵PID:1136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4996 -ip 49961⤵PID:3236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:81⤵PID:220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3544 -ip 35441⤵PID:4964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4832 -ip 48321⤵PID:4672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD517bf352316d57166426e6c46a8299147
SHA1d46d352c2ddebe177e03c4ae2ad447d85b55eaa8
SHA256d22c3f2e6e9893e9d56aaca4dbcbd688c2a6f170e9b7df60e73bde7fed4b7451
SHA5121798d1df63727725de6937c5e82f410812d8ebaa08866c66571693aa0839fe11662debaf7f19b109f6c31d2d5aeb0d00825e9b36abce0269ce9419e645dbd035
-
Filesize
134KB
MD5d59a13ea72f897a24726076db30846c7
SHA10a022af01e295d08a70ecdf5d5b750d3ebddcc83
SHA25634d79aa25375ad114221a9943231552ac55b3efd3227dede0ca13e866762d264
SHA512ac058deeff0f3cf0ad8bffdc5ef0e186697c1d86730edec624f11dba8429a084b19f46209e63e9e24f762bd8b6cd178fd95e264b02d65efb85113513f1339977
-
Filesize
134KB
MD57718d9ae4022885dcc17c3f4e44ae070
SHA1fc893f74a43a5985ddb4aa6885bdfe874da09509
SHA256f68ab85daa6c301e4cf65fba57e2e33a06523458d6cb91eee47bebecd7465a93
SHA512c181df9d8d5d12df5889312fd8f3f16764a7fc530d7bfafb6381dd53d7d5129c3913b6a5382ec21f42a3ef318f02751dc438bb69e64f19e977267deaf370d574