Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 00:10
Behavioral task
behavioral1
Sample
a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe
Resource
win7-20240729-en
General
-
Target
a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe
-
Size
92KB
-
MD5
6b9f893b651a4c9f9bce4860abcf5210
-
SHA1
2b40dee78eb457c2a6481d6eec8cfa621a7a2135
-
SHA256
a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f
-
SHA512
d96a0b5d8f9afb0c5af8b49fad2c97ce2f53f2f328d72932622e866a70b7b6f6af748978875c78689f5da1cdc1cc4b013884ec8a8765f2364d3c3ac4448c8247
-
SSDEEP
1536:zd9dseIOcEE3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIO/EZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 3004 omsecor.exe 2776 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exeomsecor.exedescription pid process target process PID 536 wrote to memory of 3004 536 a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe omsecor.exe PID 536 wrote to memory of 3004 536 a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe omsecor.exe PID 536 wrote to memory of 3004 536 a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe omsecor.exe PID 3004 wrote to memory of 2776 3004 omsecor.exe omsecor.exe PID 3004 wrote to memory of 2776 3004 omsecor.exe omsecor.exe PID 3004 wrote to memory of 2776 3004 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe"C:\Users\Admin\AppData\Local\Temp\a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2776
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5fff7a8898ed69d53a1069422e07a8cf5
SHA1173e886d68080a89b678d83fc81dae27bf4eec2e
SHA256a34a8cb30dc6de3e649ca267af3ab484cf9dc417b71e037a27b88466a3d25c87
SHA5123cdcbbaa41b5e52de0c442bc933457d09285d55feb77878f3a5aaad69c1df94d79b9bdebe3ae6e78a15fca90c7337cdc0995bdd23abed3a65c47599e92ac8579
-
Filesize
92KB
MD5735a286099302942dc4e218a936ac677
SHA1352d158d367ded555f2fad4bfb4df463ba07a4f2
SHA2565e9a6f9b49597ec7f12d19d24d79cdfac1e7d13c426b2abb24337c6615bce1ee
SHA51208c61d71c0d1eaed65472b183b3a379063d3ab322ad454c72bbc9966862c12452c67cb325dcf832f7bafd63e55d9ff92e26d291b2c517e1c605465212d001fec