Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 13:53
Behavioral task
behavioral1
Sample
2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe
Resource
win7-20240729-en
General
-
Target
2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe
-
Size
248KB
-
MD5
2610bcf86b11c2f8aea5d2d8a0b9a5e0
-
SHA1
49e7a04c63486faa128ce9f521cccd657292f24b
-
SHA256
3cd00bd31b753d832e83b5c7d1f7fca948706dd01144621a4a019322910e47c5
-
SHA512
08af2402e91ea77fc3b0f7d23d44bc6cd695a3a0c48e7222c278e59e9d7e8cbcb84edbebfdca1e1111c48a32c4d0bbe5c3347c1d51828dac7228cc819d502cb0
-
SSDEEP
1536:j4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:jIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 920 omsecor.exe 4812 omsecor.exe 3936 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/2496-0-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/920-4-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2496-5-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/920-7-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/920-13-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/3936-18-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4812-19-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4812-11-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/3936-20-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exeomsecor.exeomsecor.exedescription pid process target process PID 2496 wrote to memory of 920 2496 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe omsecor.exe PID 2496 wrote to memory of 920 2496 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe omsecor.exe PID 2496 wrote to memory of 920 2496 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe omsecor.exe PID 920 wrote to memory of 4812 920 omsecor.exe omsecor.exe PID 920 wrote to memory of 4812 920 omsecor.exe omsecor.exe PID 920 wrote to memory of 4812 920 omsecor.exe omsecor.exe PID 4812 wrote to memory of 3936 4812 omsecor.exe omsecor.exe PID 4812 wrote to memory of 3936 4812 omsecor.exe omsecor.exe PID 4812 wrote to memory of 3936 4812 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe"C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3936
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5b2e7b6dcb7493029d9b123ad28b40655
SHA19cde0e8ee0146722c65b34f2f66f60a0d970f7da
SHA2564e738f7cf5146f85537f99cfd5a2bbbe5b12502b8e1c71fc5a6a3eb6d5fedf1f
SHA512e708e20e53b7fe120a44e23dca3ff712e410641c72bf8ab1c9e87e200737f4925f4c2d27ee575e9523ae23f32d53463ca3ba5c1ba375fae6686058b6ff040ac5
-
Filesize
248KB
MD501507f9c34d2bcb425195c22b6709616
SHA179e5a722456fb50da995b42d6a7a92f681b8bbe1
SHA256be50fac53ce2a545c5eab79e842b66b84b6eb38b642aa73e25c263241a294370
SHA5129dd74aa2b561249219c9c9f84f9aaef233ee847d718dc97174fc5ff9ad5012cf2c061750a489670bb30de38706803e0f3fdcdb2bedcb98ec5d588b6101498cdd
-
Filesize
248KB
MD5fa176ce4775526ff072b0d42e28d251a
SHA183a87b5410bb5697fcde50ccc51ff8e1d800043c
SHA25652c36340b588501df7a855304449ab419c1f7d3699f9016b34f651af400aa7b4
SHA5124700fd6387f637c30ce55b4d161dcc4d8987124dbb81d9cac367fbd7c8fa371b1e6bd0511b70c9e00e414331f492fbf61aba7d188379f765dfc5e3aa7e995425