Analysis
-
max time kernel
31s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 18:16
Behavioral task
behavioral1
Sample
027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe
Resource
win7-20240729-en
Errors
General
-
Target
027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe
-
Size
61KB
-
MD5
cafacaafe8816f3b680c1679f1a953aa
-
SHA1
39cb8f8477fa82e4892177512919fc19d12f6dcf
-
SHA256
027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0
-
SHA512
f7d389641dd626df546ce2962090598be7849fe3c28c8522d2c133231c11a2bbd18b1fc674892066672e001ea9fb745e7301232ca8ef0d6cea89671fe71345b6
-
SSDEEP
768:8MEIvFGvZEr8LFK0ic46N47eSdYAHwmZ7Bp6JXXlaa5uA:8bIvYvZEyFKF6N4yS+AQmZIl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
omsecor.exepid process 4472 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exe027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exedescription pid process target process PID 4772 wrote to memory of 4472 4772 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe omsecor.exe PID 4772 wrote to memory of 4472 4772 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe omsecor.exe PID 4772 wrote to memory of 4472 4772 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe"C:\Users\Admin\AppData\Local\Temp\027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD52ccdfbde0854295311e04da7faae2278
SHA1798bdc2f05da5807900a4517559aa3cbf5ef47c4
SHA2567b7ad20320a4a09461541d1d666a67e5c20f7c083e53f86ca6b9fac7d5bcdd72
SHA51243a9fd37c376f5d21490e2ba29dffc43296e940857e6cac629ecf971bb8a429c87d944b372dedc8f9e9c320aa23da831d7f12378e3cc6eef510eaf65cfa6a7fc