Analysis
-
max time kernel
116s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 10:24
Behavioral task
behavioral1
Sample
8eece6f5324bf1526d6e0881d638f170N.exe
Resource
win7-20240729-en
General
-
Target
8eece6f5324bf1526d6e0881d638f170N.exe
-
Size
248KB
-
MD5
8eece6f5324bf1526d6e0881d638f170
-
SHA1
d930a6fc12953b01a2afa7e9ed5c435d94f43c3b
-
SHA256
07f5cca07cc63a5f18e9d6851d88902c49aa4447873e183482e8d399e405f172
-
SHA512
70541a2ae65c5e34322ea2dee7c58465e46881a6f9b2c45bad7e989451de8f08d662365897db05d73272f5b73adfb07fd75ab7a0d25b0653a1c3411303e7b6fd
-
SSDEEP
1536:44d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:4IdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 4244 omsecor.exe 3624 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/1400-0-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4244-4-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/1400-5-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4244-7-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/3624-11-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/4244-13-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/3624-14-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8eece6f5324bf1526d6e0881d638f170N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8eece6f5324bf1526d6e0881d638f170N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8eece6f5324bf1526d6e0881d638f170N.exeomsecor.exedescription pid process target process PID 1400 wrote to memory of 4244 1400 8eece6f5324bf1526d6e0881d638f170N.exe omsecor.exe PID 1400 wrote to memory of 4244 1400 8eece6f5324bf1526d6e0881d638f170N.exe omsecor.exe PID 1400 wrote to memory of 4244 1400 8eece6f5324bf1526d6e0881d638f170N.exe omsecor.exe PID 4244 wrote to memory of 3624 4244 omsecor.exe omsecor.exe PID 4244 wrote to memory of 3624 4244 omsecor.exe omsecor.exe PID 4244 wrote to memory of 3624 4244 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe"C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5f7f9a1f2f66382acc65a061290ba5f04
SHA16ac4dbed0e0489e9838f1cb8acec1d505e25de2d
SHA256f9d5e0817196061b67cc568d4792a55c5e8bf22b54e28f526efb9e062dfb8511
SHA512452dd256ef4439af62687ccfec1100d87c316ed2fa676be3d323c160bd0a6a4e6eacfe9c86560858453fe356f6fb804f9e03b9e090ce3f1518d603e9352fb0fa
-
Filesize
248KB
MD52d0772cb24774f91faafa5c182fb993c
SHA116b3146e2d6fcd13cacf01496f38b0e9232d4e95
SHA256a7538fcbd69678da6d0f25c59ecaca7df44f33528b2326400830c4771e19bccc
SHA512f1ce0445c4d1768d8156531115c4f2a83b3c92ea26e9c15366014543ffaad4226aa06758afc337e3c7ea2ebb77c54ceac847721f99be787a5139968dfbbf1298