Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 12:31
Behavioral task
behavioral1
Sample
9ef5e0aff3983414d5fc6ee69674a8a0N.exe
Resource
win7-20240704-en
General
-
Target
9ef5e0aff3983414d5fc6ee69674a8a0N.exe
-
Size
35KB
-
MD5
9ef5e0aff3983414d5fc6ee69674a8a0
-
SHA1
37b0a2d701473457f5ab1e207169eb520b119060
-
SHA256
6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180
-
SHA512
c5ed45285648f7124fd32957610570874c3c8e6f48c4854cc7a61e7abb72dda4c191c0d5480bed0eb63da88932fde10d39b511dd779e1e857302623853f6c468
-
SSDEEP
768:Z6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:08Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 5004 omsecor.exe 1384 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/1360-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/5004-4-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1360-6-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5004-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5004-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5004-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5004-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1384-19-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/5004-22-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1384-23-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9ef5e0aff3983414d5fc6ee69674a8a0N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ef5e0aff3983414d5fc6ee69674a8a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9ef5e0aff3983414d5fc6ee69674a8a0N.exeomsecor.exedescription pid process target process PID 1360 wrote to memory of 5004 1360 9ef5e0aff3983414d5fc6ee69674a8a0N.exe omsecor.exe PID 1360 wrote to memory of 5004 1360 9ef5e0aff3983414d5fc6ee69674a8a0N.exe omsecor.exe PID 1360 wrote to memory of 5004 1360 9ef5e0aff3983414d5fc6ee69674a8a0N.exe omsecor.exe PID 5004 wrote to memory of 1384 5004 omsecor.exe omsecor.exe PID 5004 wrote to memory of 1384 5004 omsecor.exe omsecor.exe PID 5004 wrote to memory of 1384 5004 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1384
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5a2b4a322bc57c590c56a4cd09ed4c4b4
SHA1af712caf7817eca258eac0742d8d19786f0d7a04
SHA256dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc
SHA5125049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd
-
Filesize
35KB
MD5d3d933d5522db2197e9d43c1ddac126a
SHA13df9f95a01aaab85cb88d21fd03f7d58e300afb1
SHA256ca0f34c55405e8366cf93ab54885b02c3dbd9101eaaf9706bc0447aa43d05692
SHA5121af87fa818af16d1a4aeb48e78fd07a7a5875e4a5cca6dc5c1458137ee4015c7538aed3ea6bbf5fa53b077889ec2a9698dc1a91b09f6b272e790df2ec4199318