Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 01:35
Behavioral task
behavioral1
Sample
3af4c90be05e1f0a645d05215d226870N.exe
Resource
win7-20240729-en
General
-
Target
3af4c90be05e1f0a645d05215d226870N.exe
-
Size
248KB
-
MD5
3af4c90be05e1f0a645d05215d226870
-
SHA1
a634bd6711a821dc357e8a4c3c75599e6aa132d6
-
SHA256
08e1f7a0db3395be8b5b2eea71f6614470012f945a7b24bb03b694808ce1b10d
-
SHA512
157729c055a434afe440ace48e1bf3962a70e80458162fa1ba7d54026e701738b4d759622b6728de9f530e0b84039c54347051ee44b0e9d4c47daa73d9ab23f5
-
SSDEEP
1536:M4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:MIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 4848 omsecor.exe 2320 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/2908-0-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4848-4-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2908-6-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4848-7-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/2320-11-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4848-13-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2320-14-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3af4c90be05e1f0a645d05215d226870N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3af4c90be05e1f0a645d05215d226870N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3af4c90be05e1f0a645d05215d226870N.exeomsecor.exedescription pid process target process PID 2908 wrote to memory of 4848 2908 3af4c90be05e1f0a645d05215d226870N.exe omsecor.exe PID 2908 wrote to memory of 4848 2908 3af4c90be05e1f0a645d05215d226870N.exe omsecor.exe PID 2908 wrote to memory of 4848 2908 3af4c90be05e1f0a645d05215d226870N.exe omsecor.exe PID 4848 wrote to memory of 2320 4848 omsecor.exe omsecor.exe PID 4848 wrote to memory of 2320 4848 omsecor.exe omsecor.exe PID 4848 wrote to memory of 2320 4848 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe"C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2320
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD581e8fb10bfac735b839e186a8ed9a2fa
SHA1020a6c104be18704815e36a6d1b6a68136112e92
SHA256a329994d02727bd0de8cae4533c9ea1c789ee151cc6b570dd84b0b966780a896
SHA5126c4f05fd26231cc3b7faf0a317da41bc03a70fe81bb51a2f1db8450399fcde6881ebb62b41e828a1b50a08d557272803a695a358ae191bdea3a29fded58e1a20
-
Filesize
248KB
MD55ddf24e7926d9b31cf3b303000065325
SHA12fd94459cb9ab7d20acb87e25b3eb3977a7c8be9
SHA2560ecad4b96b38b28f40b0a78da5ef6ebe1d50c3332418469960c619056a43ccd1
SHA512a743a864c9041cee7a2942c52d9a55664b4006cc79385d9b3f662d86e25916d553cce8477b0fa2f94dbbcdc4abbfb7c326f99b2ad7f914bc617881c2f7b6f76f