Analysis
-
max time kernel
115s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 06:35
Behavioral task
behavioral1
Sample
56273b3463f33f24297a72d47b2cd370N.exe
Resource
win7-20240704-en
General
-
Target
56273b3463f33f24297a72d47b2cd370N.exe
-
Size
35KB
-
MD5
56273b3463f33f24297a72d47b2cd370
-
SHA1
86bfd5cd55fd3ab790e5f24f11f380288b7294d2
-
SHA256
7c703e5bb2539d52b2a22c4bfd09667d25747c916b17e45a64f9a788da8f11c5
-
SHA512
14ea8a4ab0c68ade1ee31fdf354288d3a533e12d8e2366a341de6d7e0d863589a54fc6b8c4180a293c3d977cae433e2b3835bb8f3c270e9d09e703772fe96348
-
SSDEEP
768:A6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:X8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 4092 omsecor.exe 2756 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/4856-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4092-4-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4856-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4092-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4092-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4092-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4092-15-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/2756-19-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4092-22-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2756-23-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
56273b3463f33f24297a72d47b2cd370N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56273b3463f33f24297a72d47b2cd370N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
56273b3463f33f24297a72d47b2cd370N.exeomsecor.exedescription pid process target process PID 4856 wrote to memory of 4092 4856 56273b3463f33f24297a72d47b2cd370N.exe omsecor.exe PID 4856 wrote to memory of 4092 4856 56273b3463f33f24297a72d47b2cd370N.exe omsecor.exe PID 4856 wrote to memory of 4092 4856 56273b3463f33f24297a72d47b2cd370N.exe omsecor.exe PID 4092 wrote to memory of 2756 4092 omsecor.exe omsecor.exe PID 4092 wrote to memory of 2756 4092 omsecor.exe omsecor.exe PID 4092 wrote to memory of 2756 4092 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5ce7aa3954c5dcdafdbf8443875850f25
SHA13d5d362d4ee07bcce26666ba0a38a99581b0be8e
SHA256d2f7023e0f5893887e70f311ae4f4c4321a857509b0ef5522ab83fc25b5a1d72
SHA51235dd7c23b771074e71e6d3d1afd5cf4c65f48eeec3c3abfc5b22f33fc27a4f473d891b3d748ae2eee9122302deb19b00f76dd3ac553485fb5cbda192766f2897
-
Filesize
35KB
MD57ddb7511628fba5209fdcbac68d074be
SHA1035d9f4eb7e47100597715e5fb50c6ec0de7a464
SHA256c2d1a10d73d708777123c0712d1c6b6d549c7f35715e572b632637137078057f
SHA512d83d7f80600addbe063d321672131dec810c3f364ec337948a30a4ff781c73205f06cd38e5a4ef49338efbfa0e80fbb04cc8f4a05dd5be44f5f51e00dbbfd573