Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 09:18
Behavioral task
behavioral1
Sample
d37325fa6d16e231fe954451da014930N.exe
Resource
win7-20240704-en
General
-
Target
d37325fa6d16e231fe954451da014930N.exe
-
Size
80KB
-
MD5
d37325fa6d16e231fe954451da014930
-
SHA1
59f2ca54376d026804105d04664edfa9ce5320e4
-
SHA256
dabab0c6eb8f980f737cec377f243b17c7bc0ab4d8e85f7522a248d9de86bd71
-
SHA512
de5c7acd5d633ec2c920617f557ebd1e1ad1f17ca4338befebb2a568c1d837432f3c8144624b172b564e81100d7c392781818f40e400c9401333f90d1a44212c
-
SSDEEP
768:JfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:JfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3296 omsecor.exe 2968 omsecor.exe 4316 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d37325fa6d16e231fe954451da014930N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d37325fa6d16e231fe954451da014930N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d37325fa6d16e231fe954451da014930N.exeomsecor.exeomsecor.exedescription pid process target process PID 3828 wrote to memory of 3296 3828 d37325fa6d16e231fe954451da014930N.exe omsecor.exe PID 3828 wrote to memory of 3296 3828 d37325fa6d16e231fe954451da014930N.exe omsecor.exe PID 3828 wrote to memory of 3296 3828 d37325fa6d16e231fe954451da014930N.exe omsecor.exe PID 3296 wrote to memory of 2968 3296 omsecor.exe omsecor.exe PID 3296 wrote to memory of 2968 3296 omsecor.exe omsecor.exe PID 3296 wrote to memory of 2968 3296 omsecor.exe omsecor.exe PID 2968 wrote to memory of 4316 2968 omsecor.exe omsecor.exe PID 2968 wrote to memory of 4316 2968 omsecor.exe omsecor.exe PID 2968 wrote to memory of 4316 2968 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d37325fa6d16e231fe954451da014930N.exe"C:\Users\Admin\AppData\Local\Temp\d37325fa6d16e231fe954451da014930N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4316
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD54dbedc1630af2f1e48cc2b0395f6e134
SHA1a4656c4bac188dd6f2f73a08c401e78093481aa6
SHA2569899e7762646c4ca83f49c4f962b4b32602ab678ecd43b1e18e8e1472664eb0a
SHA512a9f7852e8556330f4552e1b8bea4b15b6bb90d0e09578c754bfa24631cfaf3be851e2c5abd5644e32e136d525ec6adce0b2379c05e4a0843361b8000b842d813
-
Filesize
80KB
MD51e6f8d8858edb98fe550eca414b5edc6
SHA15028cceb6098d77590ba9f5c159799cf41bc154a
SHA256096250bd2c0b57b42720425d766e3a7630f37771001fb5e16553a8812ea5a229
SHA5125205723b13deba96a782c68d27732b6d19e283dd5d1fa099e7d7b71ee4f1abe99a9135bcbfebdece63f61ee0bc65da518c403a01ac22f99740a8268f498a76ea
-
Filesize
80KB
MD52cbf7d33ae6537c3037a6d571b0c6335
SHA1196131908da670bb498245458eb1b337463b4786
SHA2566475598339bf2e02779607c56e09ff3f234087fdfb3345861bdc76879f0dd941
SHA51200db487de4d7022722ae6af72d92c1b2a20825177b0b5ded32469bb4879a26459fe2e87547bc664234a43805a7f51f9d633f9109bed8badb56aef6776154f49f