Analysis
-
max time kernel
115s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 08:15
Static task
static1
Behavioral task
behavioral1
Sample
c043a6848651cac877da7111b7598ca0N.exe
Resource
win7-20240704-en
General
-
Target
c043a6848651cac877da7111b7598ca0N.exe
-
Size
96KB
-
MD5
c043a6848651cac877da7111b7598ca0
-
SHA1
0a876e46734253b0968efef4d2144a8646055141
-
SHA256
114c7ca3fd3612e92a0dc50585557558e5f9fec2431c69fcc4201233e9e06b5d
-
SHA512
2c526c124449a14bb82fdfba004f63813e9f002fb550136f62d39ceb6bd63d879c55fe6a8af36b6586d3536d2db25def9885325de815074e85e6239f0d04fd20
-
SSDEEP
1536:cnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:cGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 412 omsecor.exe 764 omsecor.exe 1936 omsecor.exe 4460 omsecor.exe 4840 omsecor.exe 3296 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
c043a6848651cac877da7111b7598ca0N.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 5052 set thread context of 4336 5052 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 412 set thread context of 764 412 omsecor.exe omsecor.exe PID 1936 set thread context of 4460 1936 omsecor.exe omsecor.exe PID 4840 set thread context of 3296 4840 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 640 5052 WerFault.exe c043a6848651cac877da7111b7598ca0N.exe 1076 412 WerFault.exe omsecor.exe 3492 1936 WerFault.exe omsecor.exe 1876 4840 WerFault.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exec043a6848651cac877da7111b7598ca0N.exec043a6848651cac877da7111b7598ca0N.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c043a6848651cac877da7111b7598ca0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c043a6848651cac877da7111b7598ca0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
c043a6848651cac877da7111b7598ca0N.exec043a6848651cac877da7111b7598ca0N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 5052 wrote to memory of 4336 5052 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 5052 wrote to memory of 4336 5052 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 5052 wrote to memory of 4336 5052 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 5052 wrote to memory of 4336 5052 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 5052 wrote to memory of 4336 5052 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 4336 wrote to memory of 412 4336 c043a6848651cac877da7111b7598ca0N.exe omsecor.exe PID 4336 wrote to memory of 412 4336 c043a6848651cac877da7111b7598ca0N.exe omsecor.exe PID 4336 wrote to memory of 412 4336 c043a6848651cac877da7111b7598ca0N.exe omsecor.exe PID 412 wrote to memory of 764 412 omsecor.exe omsecor.exe PID 412 wrote to memory of 764 412 omsecor.exe omsecor.exe PID 412 wrote to memory of 764 412 omsecor.exe omsecor.exe PID 412 wrote to memory of 764 412 omsecor.exe omsecor.exe PID 412 wrote to memory of 764 412 omsecor.exe omsecor.exe PID 764 wrote to memory of 1936 764 omsecor.exe omsecor.exe PID 764 wrote to memory of 1936 764 omsecor.exe omsecor.exe PID 764 wrote to memory of 1936 764 omsecor.exe omsecor.exe PID 1936 wrote to memory of 4460 1936 omsecor.exe omsecor.exe PID 1936 wrote to memory of 4460 1936 omsecor.exe omsecor.exe PID 1936 wrote to memory of 4460 1936 omsecor.exe omsecor.exe PID 1936 wrote to memory of 4460 1936 omsecor.exe omsecor.exe PID 1936 wrote to memory of 4460 1936 omsecor.exe omsecor.exe PID 4460 wrote to memory of 4840 4460 omsecor.exe omsecor.exe PID 4460 wrote to memory of 4840 4460 omsecor.exe omsecor.exe PID 4460 wrote to memory of 4840 4460 omsecor.exe omsecor.exe PID 4840 wrote to memory of 3296 4840 omsecor.exe omsecor.exe PID 4840 wrote to memory of 3296 4840 omsecor.exe omsecor.exe PID 4840 wrote to memory of 3296 4840 omsecor.exe omsecor.exe PID 4840 wrote to memory of 3296 4840 omsecor.exe omsecor.exe PID 4840 wrote to memory of 3296 4840 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c043a6848651cac877da7111b7598ca0N.exe"C:\Users\Admin\AppData\Local\Temp\c043a6848651cac877da7111b7598ca0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\c043a6848651cac877da7111b7598ca0N.exeC:\Users\Admin\AppData\Local\Temp\c043a6848651cac877da7111b7598ca0N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 2568⤵
- Program crash
PID:1876
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 2926⤵
- Program crash
PID:3492
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 2844⤵
- Program crash
PID:1076
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 2882⤵
- Program crash
PID:640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5052 -ip 50521⤵PID:2140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 412 -ip 4121⤵PID:804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1936 -ip 19361⤵PID:5016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4840 -ip 48401⤵PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD52ac31c4a4e908cad5dd8223269c5510e
SHA132ec8a2c27eb29422a66394e62dda8f7d33bfa70
SHA25617e5f42a01b1984b0468056d75b2bfa0019fac026f0a3807030681ee56fe9b91
SHA512ce934b97d8b1f0e1363dba657feae180eea2b732fe96dcbdd71fbe6884dffce423578a3b0a9f7c42739338c262722db32a08878a09c6481f8379efa77b4fba85
-
Filesize
96KB
MD5d1e9384d8e1f5c8012a8890c54c0f96a
SHA109ec21291fdc3b80fc53e8147ca243082c86b67f
SHA256d3675b6326f4a3956acc4bb1aa152f74ccbceed6a4e581fae435e2cb6fdb7175
SHA51257ec0547d76fb63a1325f5a6ff8930d364520f518c06c10e681bd3db1c3d59e5683a368a762ba731a0a2d805aa0170ed5789de20e75fcbc10bab86bf62ed026d
-
Filesize
96KB
MD57a8fd768334979e1fb3e665f0cbe3d27
SHA16f6ee0b47de8f783274233b6ceec427997a01cc4
SHA2561cb4eb3f5c8dd07a834ef817233bedb836d3f3d61086c1a133d7e2f434dd2983
SHA5129e96949808426437e4fff0dd60d1a226a0932fe3118cfa91bf0940b44892d3846bf475ba33730f75e7792ebd780742c37338d0de9930bcf84a0122d347e42d8d