Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 12:11
Behavioral task
behavioral1
Sample
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe
Resource
win7-20240705-en
General
-
Target
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe
-
Size
80KB
-
MD5
b2efebdd3fa287b4b4af62798c8871d0
-
SHA1
6be1af423364596d6c7ad5380a3469b4f35388c9
-
SHA256
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
-
SHA512
27fddec4f6eb2f1dbbc47fdedd96a26ee11e3ff5884931c05ddc2f6754989ad19ed0267c4192c01b64303346d9296c08adbda0d7b6bf0d7218313d713cfdd7bd
-
SSDEEP
768:cfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:cfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3364 omsecor.exe 868 omsecor.exe 4048 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exeomsecor.exeomsecor.exedescription pid process target process PID 4100 wrote to memory of 3364 4100 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe omsecor.exe PID 4100 wrote to memory of 3364 4100 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe omsecor.exe PID 4100 wrote to memory of 3364 4100 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe omsecor.exe PID 3364 wrote to memory of 868 3364 omsecor.exe omsecor.exe PID 3364 wrote to memory of 868 3364 omsecor.exe omsecor.exe PID 3364 wrote to memory of 868 3364 omsecor.exe omsecor.exe PID 868 wrote to memory of 4048 868 omsecor.exe omsecor.exe PID 868 wrote to memory of 4048 868 omsecor.exe omsecor.exe PID 868 wrote to memory of 4048 868 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe"C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4048
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD55f31f8cc2476e2899710a00bc6bfa76c
SHA13adc2f226fc43eb71aa052211b12463593d6f63d
SHA256a872c8dbb06fe2f1c0ba3ee1f94e7e6e47340539d8a62f7416332c3433f22222
SHA51201f0309fe67bb1ee33134e84ab2b41f15c2364d3747b5a5fdfbbaef039a136022b0f878560308777a8ef1c4c004cc159d202c7ff05cb747ea96bed2e089f8e44
-
Filesize
80KB
MD573cf383a4b12cce57cb925cf0aeb13d9
SHA19a65ea5d1dbe859bfa5bc7bb6fc40be048453abf
SHA256a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33
SHA5125cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52
-
Filesize
80KB
MD5501b5251cc5759732eb66dbf33328068
SHA1e866bee10842ed4d39c6bbab2cfaeb39044624e6
SHA256414851da10e9f8b098f3a6d8b0eb10da978fbd8864eb0d252b01595989756384
SHA51282ef31d69fa64526184b413e0423304d8c095ee0d9e5a823868379ecdd543d0817542e672f3ae7e267116ce2944e3ee89714ddcc30cf951033350354f1de453f