Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 11:29
Behavioral task
behavioral1
Sample
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe
Resource
win7-20240704-en
General
-
Target
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe
-
Size
248KB
-
MD5
5dc708aa69cee869ebaf67ff489d1780
-
SHA1
e4804f8293be1d18b2943664aa01c70235fb2e06
-
SHA256
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370
-
SHA512
d9e4cbbc51812dcb695d450930b76f727f4c45cb0d80b1563ad48c5beb40586c4f1f608d2b561f598b777106cf1e472b3826d1a6750faf1dd3f3908321dd00dd
-
SSDEEP
1536:k4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:kIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 572 omsecor.exe 4264 omsecor.exe 2700 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/4016-0-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/572-5-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4016-6-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/572-7-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/4264-11-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/572-13-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4264-17-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/2700-18-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2700-20-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exeomsecor.exe8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exeomsecor.exeomsecor.exedescription pid process target process PID 4016 wrote to memory of 572 4016 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe omsecor.exe PID 4016 wrote to memory of 572 4016 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe omsecor.exe PID 4016 wrote to memory of 572 4016 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe omsecor.exe PID 572 wrote to memory of 4264 572 omsecor.exe omsecor.exe PID 572 wrote to memory of 4264 572 omsecor.exe omsecor.exe PID 572 wrote to memory of 4264 572 omsecor.exe omsecor.exe PID 4264 wrote to memory of 2700 4264 omsecor.exe omsecor.exe PID 4264 wrote to memory of 2700 4264 omsecor.exe omsecor.exe PID 4264 wrote to memory of 2700 4264 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe"C:\Users\Admin\AppData\Local\Temp\8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD52bbf0573a9df8fac3a32cd3f8ad204bc
SHA1ec886b23474a3f45be56e1cb99b3d11f953a027b
SHA2566e160225a2411be7a4b083b68f3467eb3b54a9fb37c0384608eb03f6bcc7773c
SHA5123ab15893c65725024599b3d3897bafe77cb386e9f78d42d2ca5b1d6b20cb25a38a03de966972edc2ff622ab88854cbb2f8813e67a8e3a52b333fbb8d8b9c9563
-
Filesize
248KB
MD569831108eb6b444b612974498367891a
SHA1241538951c7d8a3f395beb07cf3592e3166fffad
SHA256a717da0318c9f9f61435ddde394ac56149a601755a5b3bc8a2711a8439ab25f7
SHA512d702ff06b6ff4254fae92a0ef31b49684368ea56f30b7f1c4e6a0cf5310f21340a653f11d574ca1aef50d7220c50c0eaba49663bb49101706e8b4b61ce9c9edc
-
Filesize
248KB
MD583dc6a8d590620d489a4528cce5c4483
SHA1a0bb872cf73cd137a747b4d193905c808f0da19d
SHA2567806404e5893b6c8b20441cc128e50eb5ff549f79a412dd12075018c6ca005a4
SHA5122eca8f07ce5242d0d31a64142ca79e08203420e655defd03bc317e41c50d9c486149a453ed131b6e791fbc7253499055ba03aa94a51556c06efa4a9a8e5f00eb