Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 08:35
Behavioral task
behavioral1
Sample
d7625c49eb9fad3a7ec0434a0f674d10N.exe
Resource
win7-20240705-en
General
-
Target
d7625c49eb9fad3a7ec0434a0f674d10N.exe
-
Size
248KB
-
MD5
d7625c49eb9fad3a7ec0434a0f674d10
-
SHA1
e0adbf5813a672c5a39ccc8978835df766bae9eb
-
SHA256
502122b7b1bb70ad90016451afddf796de362a2eca299f0af6948dd53a1e9a17
-
SHA512
594f7713ceac2a77569b70d836097d72678754c7d342f3e4a5892eb1489dbab6c893d9e369bd480e9f14bd6cbe173453d7ae170789a202809824c7fa21ffafe3
-
SSDEEP
1536:44d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:4IdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1584 omsecor.exe 4836 omsecor.exe 4348 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/2304-0-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/1584-4-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2304-6-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/1584-7-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/4836-11-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/1584-12-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4348-17-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4836-18-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4348-20-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d7625c49eb9fad3a7ec0434a0f674d10N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7625c49eb9fad3a7ec0434a0f674d10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d7625c49eb9fad3a7ec0434a0f674d10N.exeomsecor.exeomsecor.exedescription pid process target process PID 2304 wrote to memory of 1584 2304 d7625c49eb9fad3a7ec0434a0f674d10N.exe omsecor.exe PID 2304 wrote to memory of 1584 2304 d7625c49eb9fad3a7ec0434a0f674d10N.exe omsecor.exe PID 2304 wrote to memory of 1584 2304 d7625c49eb9fad3a7ec0434a0f674d10N.exe omsecor.exe PID 1584 wrote to memory of 4836 1584 omsecor.exe omsecor.exe PID 1584 wrote to memory of 4836 1584 omsecor.exe omsecor.exe PID 1584 wrote to memory of 4836 1584 omsecor.exe omsecor.exe PID 4836 wrote to memory of 4348 4836 omsecor.exe omsecor.exe PID 4836 wrote to memory of 4348 4836 omsecor.exe omsecor.exe PID 4836 wrote to memory of 4348 4836 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7625c49eb9fad3a7ec0434a0f674d10N.exe"C:\Users\Admin\AppData\Local\Temp\d7625c49eb9fad3a7ec0434a0f674d10N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4348
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD54f5d297038ffeb7221d051ed8d616245
SHA1631aa1b753ad3cd361a14b154a908695bc734641
SHA256dd786f4e6ba354f72b480349d6a918c37d79471250fd6d6d2702fb9976cd2ae2
SHA512fc20931b30650b3fb868378a51d9664f92781068544ed2f919c1d2aabc6731e2c225a4f6c65927ad313188d5e42d77f9482a1a2a4fe7cb8976188de7c140a29c
-
Filesize
248KB
MD5433dbad318d2e4c4391df92107ecdf08
SHA15fa78d6acc5115a4099b3f8f4af15d6362ead3ee
SHA2564fdcf0778ccc566481f1f5cc1320076b32342ed4c7f0520c3d7be4edbbfcde40
SHA512906513a8b08bfcb3050a65e3b1f2dab5aa137c492ae1485850345369513e63338938aca89e520fa1823d44938f5f81d58f574001b851a220669777b760ff812a
-
Filesize
248KB
MD597e98b4bf237b55c79ad243750e4f177
SHA13f67a6c9d14e5c83b1b3f69a96041e341be6a654
SHA2565eec4d2a6f0676d90db65850fb97ab91b7564e0a0ad9e4dda330306d2517ca10
SHA512481809c33e3e632a0bcd9708047abae567c287945214ff2706de4a740ca21ae737f5a53d308656631a2a5bb11aded4cf7d014246335328bae07e4aba1456dc25