Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 20:53
Behavioral task
behavioral1
Sample
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe
Resource
win7-20240729-en
General
-
Target
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe
-
Size
80KB
-
MD5
4dd4614d24ae8659e86123eb5976b937
-
SHA1
69b1ac1481239e46f594d152b16cb20765d8f4a7
-
SHA256
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78
-
SHA512
db6bb177edd1fac147ec82592a28c928518dca330115b6a30df3a542a25938bb97cbf03cf5f9b787f20a09758a5bc04eac790edf0ac62b447a9e1b06c8f6a22c
-
SSDEEP
768:KfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:KfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4948 omsecor.exe 4256 omsecor.exe 2220 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exeomsecor.exeomsecor.exedescription pid process target process PID 4120 wrote to memory of 4948 4120 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe omsecor.exe PID 4120 wrote to memory of 4948 4120 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe omsecor.exe PID 4120 wrote to memory of 4948 4120 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe omsecor.exe PID 4948 wrote to memory of 4256 4948 omsecor.exe omsecor.exe PID 4948 wrote to memory of 4256 4948 omsecor.exe omsecor.exe PID 4948 wrote to memory of 4256 4948 omsecor.exe omsecor.exe PID 4256 wrote to memory of 2220 4256 omsecor.exe omsecor.exe PID 4256 wrote to memory of 2220 4256 omsecor.exe omsecor.exe PID 4256 wrote to memory of 2220 4256 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe"C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2220
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:81⤵PID:3980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5ee89eb2b96b860d3166fb7be176cf7b4
SHA1ce3dc413303d4c2c035a22b5b9d51eefe4f64a5b
SHA25631efd5431dfd5fdeab331d79a8271d22b68fb2e964aff1571b9096c6a7951c77
SHA512a696d4d29aa78d384ec92aaac6bf8c0ba9bbff234e5df39cea8487bf50e88e4141fe0377ceb81d3041ea20999407aa76a0b146b266ff11bab33d8e558d160a34
-
Filesize
80KB
MD53dfc86b2441840dc62ce2a529fd73aea
SHA194966d2741dafc71c66f8f39e625b927d273e28c
SHA2561b00585a46d14e683b1ff21d5659e2dce15e1e674bd9796d5483a7617fbc15ae
SHA51200cac720a7929b66a4a1bbd452f879d2ed174c981cbec7867a33fe173555463f625981985dd34b82a4e595ea3e71a8e9b2b9cab1635144c21b335e4baf47de20
-
Filesize
80KB
MD550a2ccde3656cb7139d585beb333cb40
SHA12d93911701ed79319c24ac7af57f7be0f8e5a8bb
SHA25631db88859c37cf65d13b2349e09b0ac67b186316c036fa660608dbc6a4c87442
SHA512646fcdea9a220ff0cc453c2ac84260ae26ebd735bdb2a2345a5331d73e6a7ab72959067caa5048481ac3fa7ab9fcf8b3158a8aeffadc3b42332d8aeaa24f1d53