Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 12:48
Behavioral task
behavioral1
Sample
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe
Resource
win7-20240704-en
General
-
Target
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe
-
Size
248KB
-
MD5
4f8b5ded61b51de6d2d27f0e2a473a30
-
SHA1
3d58be86f9b50ae09a0a0a71521297dd241aefc6
-
SHA256
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707
-
SHA512
ebc97a82579408b5d44440877927033517f21d24f83d0a1147b8840585c3f43d726067d12112fab1029e8e0abc9f781748de86f1defd4f36c89865b980dccb4b
-
SSDEEP
1536:I4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:IIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 4972 omsecor.exe 1652 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/3140-0-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4972-4-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/3140-6-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4972-7-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/1652-11-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4972-13-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/1652-14-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exefeb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exeomsecor.exedescription pid process target process PID 3140 wrote to memory of 4972 3140 feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe omsecor.exe PID 3140 wrote to memory of 4972 3140 feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe omsecor.exe PID 3140 wrote to memory of 4972 3140 feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe omsecor.exe PID 4972 wrote to memory of 1652 4972 omsecor.exe omsecor.exe PID 4972 wrote to memory of 1652 4972 omsecor.exe omsecor.exe PID 4972 wrote to memory of 1652 4972 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe"C:\Users\Admin\AppData\Local\Temp\feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1652
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5795a05ea0a425d39884d9c4208eb97c1
SHA13c73418c3cbb03e1d1b3fd8013592f3a37cc0e6d
SHA256c404c802a258fd59508f2dcf9413a8dfee514536b62ada156d0ee74e2b216c17
SHA51255682933038eae5bff03445095395f883ea7df84d65753dcc70a2a073af3bcf4e634e59be3a61833eda48ff852fec011341744e2ddeb04b57891c86c81c6288a
-
Filesize
248KB
MD5b8ec916eab9bef1eaca9e3c7c5e8861a
SHA15e0ef4531515cb4b37d66fbd8dfe4922f7b67933
SHA256ed164ea6534bd08141629deaa8adb57678beb9ba0f7a9a14feca287b09d6e055
SHA5125c264ddb1493d46c1143b9de19b1ff64c516bc724255766d50a52e40bdf99b538ee57d46723c47c3a36574f9325ac0dcd92fbef96ef82dc7942c4688b929b901