Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 11:33
Behavioral task
behavioral1
Sample
5ff42997329bb240d36b3877786d8970N.exe
Resource
win7-20240708-en
General
-
Target
5ff42997329bb240d36b3877786d8970N.exe
-
Size
76KB
-
MD5
5ff42997329bb240d36b3877786d8970
-
SHA1
df07d4cd63c874aa9ada4227612c0775a2e00543
-
SHA256
bf8c000f958ecffc7527b9930deea9e84ae43ca31ad5fb8249a948654fe59786
-
SHA512
5ba27ebe69c19482b7a651cdf068fc99dcc7c970785b1edce194c26e7b3618487639ffba4e65a999ecfd24a5ab71144385963f42d3570d44d4516504659d2639
-
SSDEEP
768:mMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:mbIvYvZEyFKF6N4yS+AQmZTl/5O
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3832 omsecor.exe 4904 omsecor.exe 3424 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5ff42997329bb240d36b3877786d8970N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ff42997329bb240d36b3877786d8970N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5ff42997329bb240d36b3877786d8970N.exeomsecor.exeomsecor.exedescription pid process target process PID 3428 wrote to memory of 3832 3428 5ff42997329bb240d36b3877786d8970N.exe omsecor.exe PID 3428 wrote to memory of 3832 3428 5ff42997329bb240d36b3877786d8970N.exe omsecor.exe PID 3428 wrote to memory of 3832 3428 5ff42997329bb240d36b3877786d8970N.exe omsecor.exe PID 3832 wrote to memory of 4904 3832 omsecor.exe omsecor.exe PID 3832 wrote to memory of 4904 3832 omsecor.exe omsecor.exe PID 3832 wrote to memory of 4904 3832 omsecor.exe omsecor.exe PID 4904 wrote to memory of 3424 4904 omsecor.exe omsecor.exe PID 4904 wrote to memory of 3424 4904 omsecor.exe omsecor.exe PID 4904 wrote to memory of 3424 4904 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe"C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3424
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5355eade5dafcd0eb244d38458c1ba459
SHA12c0fd1dabd23c4082dd9a7259b9eb966f30fa2be
SHA2569215066b3a6a7c02b0e26ff9b560e644d8640c556a22e8ba3fac8ae6eb03399a
SHA512eef7763febbf5ba66933dec987b2a2eb4412cf75e76d498a1f5f4f573514ae00fb61300a391faa5f28359f5958092c5388ff50d4a6824835df319589bf66d2dc
-
Filesize
76KB
MD5ac15f7cbb36ce4d213bf65ccd3dd81f9
SHA19059c966cd5a981203d7b6fac9ae1cf3caff1356
SHA256c130fe3c09576a3aa60344ef1149d09def3b0d5102acfc42f7f9e872b577dbf2
SHA512d9fab174bab93f3d53bdbc76feb950ac3754dae300620ff6c14f63c6608604988b5e4ccd22746d634e6ce8b546d386872cc0372f6c7b58a02391768337a611b6
-
Filesize
76KB
MD541b80933318ba103baa94933319adecc
SHA19c1a330eb8ba2917a3009ac5f017165de3331cb4
SHA256b96a6f8b33bb7778a956814ce13c797a0374523e16405a5b933d5309ac98415f
SHA512ff928a86bd33cd83e0f01b69487cac10ebc6462079d7c30facb6ff612e6c8e923c2cc206bd18c47d5e676d52cc116a0ebc70f512bec6771ced026af56d74c01c