Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 17:01
Behavioral task
behavioral1
Sample
75693cfba81fb00326ba9e4d1ade79e0N.exe
Resource
win7-20240704-en
General
-
Target
75693cfba81fb00326ba9e4d1ade79e0N.exe
-
Size
35KB
-
MD5
75693cfba81fb00326ba9e4d1ade79e0
-
SHA1
eebc6f1aa980f6dfbbe70eb73dd78d320cc1ff8e
-
SHA256
47564772d274b0a650c18597b11ab9af811917ff3af9b86f3f640a9634cfa824
-
SHA512
3283c6271e4cf53697630dc64ef7df4f3bd21e6b9cf728376a67deedf42d93f7444622ca3a616e209f73ee4122fb5322fd6b31046e296f92dec03525cdf80a5c
-
SSDEEP
768:e6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:l8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3376 omsecor.exe 516 omsecor.exe 3424 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/4876-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/3376-4-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4876-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3376-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3376-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3376-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3376-15-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/516-19-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3376-22-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/3424-26-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/516-27-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3424-29-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
75693cfba81fb00326ba9e4d1ade79e0N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75693cfba81fb00326ba9e4d1ade79e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
75693cfba81fb00326ba9e4d1ade79e0N.exeomsecor.exeomsecor.exedescription pid process target process PID 4876 wrote to memory of 3376 4876 75693cfba81fb00326ba9e4d1ade79e0N.exe omsecor.exe PID 4876 wrote to memory of 3376 4876 75693cfba81fb00326ba9e4d1ade79e0N.exe omsecor.exe PID 4876 wrote to memory of 3376 4876 75693cfba81fb00326ba9e4d1ade79e0N.exe omsecor.exe PID 3376 wrote to memory of 516 3376 omsecor.exe omsecor.exe PID 3376 wrote to memory of 516 3376 omsecor.exe omsecor.exe PID 3376 wrote to memory of 516 3376 omsecor.exe omsecor.exe PID 516 wrote to memory of 3424 516 omsecor.exe omsecor.exe PID 516 wrote to memory of 3424 516 omsecor.exe omsecor.exe PID 516 wrote to memory of 3424 516 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75693cfba81fb00326ba9e4d1ade79e0N.exe"C:\Users\Admin\AppData\Local\Temp\75693cfba81fb00326ba9e4d1ade79e0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3424
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD578eeba4b58697cfa1a422581e46e59cf
SHA1945fa0e0e38209b04a5abfbc36d654b84cab481e
SHA256202ec5dc69013802725561dde7735cd1fff5afbec2b19f8206505189d6d33202
SHA5126e848d96c551766d7add8de11620e030c99f781ba6ee7930b97809cc8526f4261083d7ef4c5069b560fd53d62bdc0cf8514ac842ae3f61d38691173dbde690de
-
Filesize
35KB
MD5d8b05a2fc34178500f212de7ccc7c5c4
SHA1c4fc00c3c988580818ea4293cf70c26ff23c0315
SHA256bfe92586e89954ef6284bbad83c593be48f954b2bd63578efdb3f85401986f2e
SHA512d5bd59dd562c5fa862237b132cf78e0b40ce45513489065f1fe9b6738959cb0bfb168bcf0699075cfa4822b080a697915c05a13f1f88b01bd6d3a79a42e2124a
-
Filesize
35KB
MD5dfd2f56e910307fa3f55aad61ef2d8c1
SHA191ad1d723641548ef487a16d0357a61a28a7573c
SHA256c2b02837b1afa35bb6dcca6c0a6e7b299b03fffd9508bee31370afda34798062
SHA512e6d73a9bfd88d6c987c3e4bc09b5ea5d51afecde664e776014da1140894ad1f15243fce731fc3ec5059d8015a28febbe13c458311a019a891171be6e817e539b