Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 11:23
Behavioral task
behavioral1
Sample
5dc708aa69cee869ebaf67ff489d1780N.exe
Resource
win7-20240708-en
General
-
Target
5dc708aa69cee869ebaf67ff489d1780N.exe
-
Size
248KB
-
MD5
5dc708aa69cee869ebaf67ff489d1780
-
SHA1
e4804f8293be1d18b2943664aa01c70235fb2e06
-
SHA256
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370
-
SHA512
d9e4cbbc51812dcb695d450930b76f727f4c45cb0d80b1563ad48c5beb40586c4f1f608d2b561f598b777106cf1e472b3826d1a6750faf1dd3f3908321dd00dd
-
SSDEEP
1536:k4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:kIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2416 omsecor.exe 2232 omsecor.exe 2044 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/1768-0-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/2416-4-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/1768-5-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2416-7-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/2416-13-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2232-11-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/2044-17-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2232-18-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2044-20-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5dc708aa69cee869ebaf67ff489d1780N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dc708aa69cee869ebaf67ff489d1780N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5dc708aa69cee869ebaf67ff489d1780N.exeomsecor.exeomsecor.exedescription pid process target process PID 1768 wrote to memory of 2416 1768 5dc708aa69cee869ebaf67ff489d1780N.exe omsecor.exe PID 1768 wrote to memory of 2416 1768 5dc708aa69cee869ebaf67ff489d1780N.exe omsecor.exe PID 1768 wrote to memory of 2416 1768 5dc708aa69cee869ebaf67ff489d1780N.exe omsecor.exe PID 2416 wrote to memory of 2232 2416 omsecor.exe omsecor.exe PID 2416 wrote to memory of 2232 2416 omsecor.exe omsecor.exe PID 2416 wrote to memory of 2232 2416 omsecor.exe omsecor.exe PID 2232 wrote to memory of 2044 2232 omsecor.exe omsecor.exe PID 2232 wrote to memory of 2044 2232 omsecor.exe omsecor.exe PID 2232 wrote to memory of 2044 2232 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe"C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5436104d9535959b9021a335467edb7f9
SHA1173271133a660de9a9a87801a45dce29bffbf8f1
SHA25656110cd1f933ef8c3b468fbd05fcfa783ae596e815ebe84a4c717dc0c783d9e0
SHA512c04b3f43a88645153d667815a73a5a764ece6256621dec109a277d8ca83bcadecd2d0633d54f3f5e6b930d061f830f2abcc7efe0d12bd11f3b9b50ea68ee3af5
-
Filesize
248KB
MD569831108eb6b444b612974498367891a
SHA1241538951c7d8a3f395beb07cf3592e3166fffad
SHA256a717da0318c9f9f61435ddde394ac56149a601755a5b3bc8a2711a8439ab25f7
SHA512d702ff06b6ff4254fae92a0ef31b49684368ea56f30b7f1c4e6a0cf5310f21340a653f11d574ca1aef50d7220c50c0eaba49663bb49101706e8b4b61ce9c9edc
-
Filesize
248KB
MD52a1d1ee3e3f523894efe4982d53ed7fb
SHA147799d4f982364014462a3c3a34338d7dc82b9f6
SHA2565e24ab16d27327333dc00d10e0c16314053768a199478d5ae8b4817c5094e1fa
SHA5126d49f8ab77d28fc360439687e900929b8d198c44c180954bd62d0a95c8a3e6d375ddda88a40e747d2d179269283cc0652859c3116c866682d52854f305cd574f