Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 12:24
Static task
static1
Behavioral task
behavioral1
Sample
9b4365610bf5ba273c19d4b6b59ac470N.exe
Resource
win7-20240708-en
General
-
Target
9b4365610bf5ba273c19d4b6b59ac470N.exe
-
Size
96KB
-
MD5
9b4365610bf5ba273c19d4b6b59ac470
-
SHA1
fda8f31b460070e32a27d7577a6ce4f28702d7d7
-
SHA256
4cb6f4971f521c34fd0b117fe667e17dd2202b4e0447df1f1c55f78b8252fc51
-
SHA512
6f4f42c772360d10550195000f7578f380a3bc2d24d0d6ea892a96388a57f88a946c99860d67e1579951e1229919dfeba33eef73ccbe3f92dc115506bcfe16df
-
SSDEEP
1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:4Gs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2504 omsecor.exe 3952 omsecor.exe 936 omsecor.exe 3408 omsecor.exe 1244 omsecor.exe 1620 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
9b4365610bf5ba273c19d4b6b59ac470N.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 5072 set thread context of 3076 5072 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 2504 set thread context of 3952 2504 omsecor.exe omsecor.exe PID 936 set thread context of 3408 936 omsecor.exe omsecor.exe PID 1244 set thread context of 1620 1244 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3464 5072 WerFault.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe 3132 2504 WerFault.exe omsecor.exe 3604 936 WerFault.exe omsecor.exe 2308 1244 WerFault.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe9b4365610bf5ba273c19d4b6b59ac470N.exe9b4365610bf5ba273c19d4b6b59ac470N.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b4365610bf5ba273c19d4b6b59ac470N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b4365610bf5ba273c19d4b6b59ac470N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
9b4365610bf5ba273c19d4b6b59ac470N.exe9b4365610bf5ba273c19d4b6b59ac470N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 5072 wrote to memory of 3076 5072 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 5072 wrote to memory of 3076 5072 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 5072 wrote to memory of 3076 5072 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 5072 wrote to memory of 3076 5072 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 5072 wrote to memory of 3076 5072 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 3076 wrote to memory of 2504 3076 9b4365610bf5ba273c19d4b6b59ac470N.exe omsecor.exe PID 3076 wrote to memory of 2504 3076 9b4365610bf5ba273c19d4b6b59ac470N.exe omsecor.exe PID 3076 wrote to memory of 2504 3076 9b4365610bf5ba273c19d4b6b59ac470N.exe omsecor.exe PID 2504 wrote to memory of 3952 2504 omsecor.exe omsecor.exe PID 2504 wrote to memory of 3952 2504 omsecor.exe omsecor.exe PID 2504 wrote to memory of 3952 2504 omsecor.exe omsecor.exe PID 2504 wrote to memory of 3952 2504 omsecor.exe omsecor.exe PID 2504 wrote to memory of 3952 2504 omsecor.exe omsecor.exe PID 3952 wrote to memory of 936 3952 omsecor.exe omsecor.exe PID 3952 wrote to memory of 936 3952 omsecor.exe omsecor.exe PID 3952 wrote to memory of 936 3952 omsecor.exe omsecor.exe PID 936 wrote to memory of 3408 936 omsecor.exe omsecor.exe PID 936 wrote to memory of 3408 936 omsecor.exe omsecor.exe PID 936 wrote to memory of 3408 936 omsecor.exe omsecor.exe PID 936 wrote to memory of 3408 936 omsecor.exe omsecor.exe PID 936 wrote to memory of 3408 936 omsecor.exe omsecor.exe PID 3408 wrote to memory of 1244 3408 omsecor.exe omsecor.exe PID 3408 wrote to memory of 1244 3408 omsecor.exe omsecor.exe PID 3408 wrote to memory of 1244 3408 omsecor.exe omsecor.exe PID 1244 wrote to memory of 1620 1244 omsecor.exe omsecor.exe PID 1244 wrote to memory of 1620 1244 omsecor.exe omsecor.exe PID 1244 wrote to memory of 1620 1244 omsecor.exe omsecor.exe PID 1244 wrote to memory of 1620 1244 omsecor.exe omsecor.exe PID 1244 wrote to memory of 1620 1244 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe"C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exeC:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 2448⤵
- Program crash
PID:2308
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 2926⤵
- Program crash
PID:3604
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 2964⤵
- Program crash
PID:3132
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 2962⤵
- Program crash
PID:3464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5072 -ip 50721⤵PID:2684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2504 -ip 25041⤵PID:3600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 936 -ip 9361⤵PID:2756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1244 -ip 12441⤵PID:4664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD54ed0c620a9ecc72f57296023bd98b112
SHA1de56fb87ea9262abfb6197f49a72c18c7f12852d
SHA256e73c9132108393b87978c5079d2068264b60fc81fd5a2fbcb41c5172bc7ce917
SHA5129da09c2809841e9fba0069a723c64286c159c1617ab0707bec04b20c36eec7e24db4edcf3407180b6dee6efc77bb269d18dc97fbfe3195f9435987308164f331
-
Filesize
96KB
MD56123f4b0759183e2454f5cc37764fbc2
SHA147cf4c7aaa51499809b7c9367ff52620108b889c
SHA256827082545570a3be54af7070942aa80eeb715c084a7769631a6f4da2b0dfa6f4
SHA512503a34691cf99e9c58365df90ef1be3698f5a7b2093ef5712f32598e855373f343b2be4aa138e2f353a7651c549800da9a7d0dd211dc6e5d0049f859f565d67a
-
Filesize
96KB
MD5e754a9a6334f5f71bdadf81fc70d654a
SHA187328da67525e42e389fb75ff491a5407ad2163e
SHA256b96a320b2e57d248fdb55e66dce2fa724871d989f1140cdb186dae65bf336412
SHA512662aae1c81ef9aa5560030b1f81e9d92ebf7e0e8381110d786536aba6d3c2653b9e3f64d2f7d52b82d884e3675246f679ec597c3c5c3a0ab43908d486fde21cc