Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 12:10
Behavioral task
behavioral1
Sample
b2efebdd3fa287b4b4af62798c8871d0N.exe
Resource
win7-20240708-en
General
-
Target
b2efebdd3fa287b4b4af62798c8871d0N.exe
-
Size
80KB
-
MD5
b2efebdd3fa287b4b4af62798c8871d0
-
SHA1
6be1af423364596d6c7ad5380a3469b4f35388c9
-
SHA256
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
-
SHA512
27fddec4f6eb2f1dbbc47fdedd96a26ee11e3ff5884931c05ddc2f6754989ad19ed0267c4192c01b64303346d9296c08adbda0d7b6bf0d7218313d713cfdd7bd
-
SSDEEP
768:cfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:cfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 1828 omsecor.exe 372 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b2efebdd3fa287b4b4af62798c8871d0N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2efebdd3fa287b4b4af62798c8871d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b2efebdd3fa287b4b4af62798c8871d0N.exeomsecor.exedescription pid process target process PID 1660 wrote to memory of 1828 1660 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 1660 wrote to memory of 1828 1660 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 1660 wrote to memory of 1828 1660 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 1828 wrote to memory of 372 1828 omsecor.exe omsecor.exe PID 1828 wrote to memory of 372 1828 omsecor.exe omsecor.exe PID 1828 wrote to memory of 372 1828 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:372
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD573cf383a4b12cce57cb925cf0aeb13d9
SHA19a65ea5d1dbe859bfa5bc7bb6fc40be048453abf
SHA256a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33
SHA5125cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52
-
Filesize
80KB
MD52dc0cac89f448271895ccadeaccd3ea5
SHA10987e89e26282a0a114a2dd692731cd2301c3eb9
SHA256bd9a3f5790545ee4945f5eb53ab22b023720b669660f0fe07ded7dc7108827a2
SHA5120b7e2570aa77213fa9f0616c749821af6200badba103e6bd9b0a3904f4c5e507dcafa74f41d4eb5d183b2c2ecc0c4bfd06d09a74830d2f0c3577979be5e0b658