Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 12:42
Behavioral task
behavioral1
Sample
4f8b5ded61b51de6d2d27f0e2a473a30N.exe
Resource
win7-20240705-en
General
-
Target
4f8b5ded61b51de6d2d27f0e2a473a30N.exe
-
Size
248KB
-
MD5
4f8b5ded61b51de6d2d27f0e2a473a30
-
SHA1
3d58be86f9b50ae09a0a0a71521297dd241aefc6
-
SHA256
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707
-
SHA512
ebc97a82579408b5d44440877927033517f21d24f83d0a1147b8840585c3f43d726067d12112fab1029e8e0abc9f781748de86f1defd4f36c89865b980dccb4b
-
SSDEEP
1536:I4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:IIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3852 omsecor.exe 4916 omsecor.exe 1668 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/3104-0-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/3852-4-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/3104-5-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/3852-7-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/3852-13-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4916-11-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/1668-18-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4916-17-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/1668-20-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4f8b5ded61b51de6d2d27f0e2a473a30N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f8b5ded61b51de6d2d27f0e2a473a30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4f8b5ded61b51de6d2d27f0e2a473a30N.exeomsecor.exeomsecor.exedescription pid process target process PID 3104 wrote to memory of 3852 3104 4f8b5ded61b51de6d2d27f0e2a473a30N.exe omsecor.exe PID 3104 wrote to memory of 3852 3104 4f8b5ded61b51de6d2d27f0e2a473a30N.exe omsecor.exe PID 3104 wrote to memory of 3852 3104 4f8b5ded61b51de6d2d27f0e2a473a30N.exe omsecor.exe PID 3852 wrote to memory of 4916 3852 omsecor.exe omsecor.exe PID 3852 wrote to memory of 4916 3852 omsecor.exe omsecor.exe PID 3852 wrote to memory of 4916 3852 omsecor.exe omsecor.exe PID 4916 wrote to memory of 1668 4916 omsecor.exe omsecor.exe PID 4916 wrote to memory of 1668 4916 omsecor.exe omsecor.exe PID 4916 wrote to memory of 1668 4916 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5abd192b4a64298a5427850694a21ef96
SHA18f26e4876a37fbf6142ecb91f17fc441716c5987
SHA256334b40a9df4a5e027483a0c44f70fbb00779801aecfe355a5646ef3b01205546
SHA512a8d8f49b3af76eaf684eec4ef0abf671e1bc8390924979dd73df7e7a95f6eada2246553a0c9c9e75ad31a252e0a58005c9907fb608be0b97e57e9e94f38dd6a1
-
Filesize
248KB
MD5795a05ea0a425d39884d9c4208eb97c1
SHA13c73418c3cbb03e1d1b3fd8013592f3a37cc0e6d
SHA256c404c802a258fd59508f2dcf9413a8dfee514536b62ada156d0ee74e2b216c17
SHA51255682933038eae5bff03445095395f883ea7df84d65753dcc70a2a073af3bcf4e634e59be3a61833eda48ff852fec011341744e2ddeb04b57891c86c81c6288a
-
Filesize
248KB
MD533fd7f7ad2095c91d62e0c5ae4268ce6
SHA19274a1d9ba6c9fc5ed6e15e4087395c504946a78
SHA25612b68ec9ce77ffd5d923d4b8b000cd739b2550b9ae84c57387be752064fa783d
SHA512bb5c391e9f99331784fcd19b0d0b5a7db699a7c64a60c996f85c7fd0b44ecc74cdc7c597c348397ff41675a26e6d4c6072b7a831ec0eccbd715f336322f2e935