Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 12:05
Behavioral task
behavioral1
Sample
b2efebdd3fa287b4b4af62798c8871d0N.exe
Resource
win7-20240708-en
General
-
Target
b2efebdd3fa287b4b4af62798c8871d0N.exe
-
Size
80KB
-
MD5
b2efebdd3fa287b4b4af62798c8871d0
-
SHA1
6be1af423364596d6c7ad5380a3469b4f35388c9
-
SHA256
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
-
SHA512
27fddec4f6eb2f1dbbc47fdedd96a26ee11e3ff5884931c05ddc2f6754989ad19ed0267c4192c01b64303346d9296c08adbda0d7b6bf0d7218313d713cfdd7bd
-
SSDEEP
768:cfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:cfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3336 omsecor.exe 2348 omsecor.exe 1912 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b2efebdd3fa287b4b4af62798c8871d0N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2efebdd3fa287b4b4af62798c8871d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b2efebdd3fa287b4b4af62798c8871d0N.exeomsecor.exeomsecor.exedescription pid process target process PID 4936 wrote to memory of 3336 4936 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 4936 wrote to memory of 3336 4936 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 4936 wrote to memory of 3336 4936 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 3336 wrote to memory of 2348 3336 omsecor.exe omsecor.exe PID 3336 wrote to memory of 2348 3336 omsecor.exe omsecor.exe PID 3336 wrote to memory of 2348 3336 omsecor.exe omsecor.exe PID 2348 wrote to memory of 1912 2348 omsecor.exe omsecor.exe PID 2348 wrote to memory of 1912 2348 omsecor.exe omsecor.exe PID 2348 wrote to memory of 1912 2348 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD52167fbf1daa0169c53b3896c16eff387
SHA10004c3dfc100b79d34cf569707a5eb25d5b29c2d
SHA256ddff2783ce00568a8468f1c236375cea698c1974613b1f895aabbdcba457560b
SHA51224d8d52f0137008ae9290827adefa14d45550d3108473e3f9aafb4c453105f66c3b79a151813961d3ea243378b2b6712d57d087564cf3582442e297eb4857ef8
-
Filesize
80KB
MD573cf383a4b12cce57cb925cf0aeb13d9
SHA19a65ea5d1dbe859bfa5bc7bb6fc40be048453abf
SHA256a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33
SHA5125cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52
-
Filesize
80KB
MD594d1643d00d0fe05e081ee5cf01ccd0c
SHA12bf0e89fc2f3e5695fd63c33c02411272def6e5a
SHA256995bed93b81bae5111170e2891906fa0fee407b0ab31fb3f5320f25320b33185
SHA5127ba429d04031f3219d517ab1f604d26a545f4197a3f8f9394ac11b66aa80fb633e36f4a63ef2e31236ada55168606960a568b9206fc88bee50251b92cb78085c