Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 02:17
Behavioral task
behavioral1
Sample
dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe
Resource
win7-20240704-en
General
-
Target
dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe
-
Size
71KB
-
MD5
0ce26c0d33ed0cfda9209db722889845
-
SHA1
52cfa7af81c0b3743f90cc06e9acd9c7d7ed1ed9
-
SHA256
dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd
-
SHA512
875dd901f18a2e48368d67b360b42c94c9db651c91c777abcb850861bffdd1f24674308f8433dcd4619cccae5e09b39e9fe69402a93c3aed93de2c4c64af5a8b
-
SSDEEP
1536:6d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:adseIOMEZEyFjEOFqTiQmQDHIbH
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3836 omsecor.exe 2044 omsecor.exe 1428 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exeomsecor.exedc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exeomsecor.exeomsecor.exedescription pid process target process PID 2936 wrote to memory of 3836 2936 dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe omsecor.exe PID 2936 wrote to memory of 3836 2936 dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe omsecor.exe PID 2936 wrote to memory of 3836 2936 dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe omsecor.exe PID 3836 wrote to memory of 2044 3836 omsecor.exe omsecor.exe PID 3836 wrote to memory of 2044 3836 omsecor.exe omsecor.exe PID 3836 wrote to memory of 2044 3836 omsecor.exe omsecor.exe PID 2044 wrote to memory of 1428 2044 omsecor.exe omsecor.exe PID 2044 wrote to memory of 1428 2044 omsecor.exe omsecor.exe PID 2044 wrote to memory of 1428 2044 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe"C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1428
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD59e23bd077698b6e84f1d8ee239700855
SHA15471fa28a62e07b897e20d69e4491688ea058c53
SHA2566e7723a201f93efc8d3f06aef7bf1b8ed46cdb4cf17b98f772231e8cf3950daf
SHA5124ef4a15798eee0f684579538dc3d4ed784ab8d5f305e2fc43c5a1deceb9a8a70d1aff53ef3c67a30c7bf4e408040771b0a70d8d4068bc04d1888831b37fc366a
-
Filesize
71KB
MD51e82166cdb3bb51e8964be7b5a9ecb08
SHA1cd78f196cdcd818dd456ce91817b7d8735bf9846
SHA256d1b58bd52e3ed9b58e0243ca3d42487f91635493b7a6e430244931b129b18ea4
SHA512532f928ee4cce9f9c5642c83aeaaae7ecf47c72a410be9ac0e00bc9948771e73a37d7f8b5f0026a1c01999724063a4ecfb54ef16714fa770db1904ce46fcffa5
-
Filesize
71KB
MD55bdc6086e6d00112a03533477c72d1d7
SHA1ca78618ff79e82ce304c01414a5e44290d937ae4
SHA256ecbff5b5ec976cf392c0f272f5a35c726529132194cc0520b96389f61d1751f8
SHA512e2d311293aa86b57c4b5a15bb39904796454324ab2328a9f130f1da462bf4598974863f00277f5a19a1e2211077955577818d71cac43033193e331b672912d10