Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe
Resource
win7-20240903-en
General
-
Target
f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe
-
Size
134KB
-
MD5
5cf128e2139b580fd6b33ea1efa43ae0
-
SHA1
8ce6f2b0ead61caca11efdd3b7d4ce7dbb04c636
-
SHA256
f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4
-
SHA512
c6cebabac412e9c6c3edf31aba092a72c5100ec95f2c772dc3c10dd258de1ac93103280b6ed91ac94b0fb07f0abec3fbd05cb2614f5a1f73616e2face399d224
-
SSDEEP
1536:+DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:giRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 3232 omsecor.exe 4788 omsecor.exe 3660 omsecor.exe 1532 omsecor.exe 4692 omsecor.exe 4312 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4500 set thread context of 1824 4500 f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe 82 PID 3232 set thread context of 4788 3232 omsecor.exe 87 PID 3660 set thread context of 1532 3660 omsecor.exe 100 PID 4692 set thread context of 4312 4692 omsecor.exe 103 -
Program crash 4 IoCs
pid pid_target Process procid_target 388 4500 WerFault.exe 81 3212 3232 WerFault.exe 85 4456 3660 WerFault.exe 99 764 4692 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4500 wrote to memory of 1824 4500 f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe 82 PID 4500 wrote to memory of 1824 4500 f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe 82 PID 4500 wrote to memory of 1824 4500 f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe 82 PID 4500 wrote to memory of 1824 4500 f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe 82 PID 4500 wrote to memory of 1824 4500 f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe 82 PID 1824 wrote to memory of 3232 1824 f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe 85 PID 1824 wrote to memory of 3232 1824 f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe 85 PID 1824 wrote to memory of 3232 1824 f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe 85 PID 3232 wrote to memory of 4788 3232 omsecor.exe 87 PID 3232 wrote to memory of 4788 3232 omsecor.exe 87 PID 3232 wrote to memory of 4788 3232 omsecor.exe 87 PID 3232 wrote to memory of 4788 3232 omsecor.exe 87 PID 3232 wrote to memory of 4788 3232 omsecor.exe 87 PID 4788 wrote to memory of 3660 4788 omsecor.exe 99 PID 4788 wrote to memory of 3660 4788 omsecor.exe 99 PID 4788 wrote to memory of 3660 4788 omsecor.exe 99 PID 3660 wrote to memory of 1532 3660 omsecor.exe 100 PID 3660 wrote to memory of 1532 3660 omsecor.exe 100 PID 3660 wrote to memory of 1532 3660 omsecor.exe 100 PID 3660 wrote to memory of 1532 3660 omsecor.exe 100 PID 3660 wrote to memory of 1532 3660 omsecor.exe 100 PID 1532 wrote to memory of 4692 1532 omsecor.exe 102 PID 1532 wrote to memory of 4692 1532 omsecor.exe 102 PID 1532 wrote to memory of 4692 1532 omsecor.exe 102 PID 4692 wrote to memory of 4312 4692 omsecor.exe 103 PID 4692 wrote to memory of 4312 4692 omsecor.exe 103 PID 4692 wrote to memory of 4312 4692 omsecor.exe 103 PID 4692 wrote to memory of 4312 4692 omsecor.exe 103 PID 4692 wrote to memory of 4312 4692 omsecor.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe"C:\Users\Admin\AppData\Local\Temp\f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exeC:\Users\Admin\AppData\Local\Temp\f9dbeeed5beba8aca4e7d4207719925724c89a643479a5dfc1cea2a5517b71d4N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 2688⤵
- Program crash
PID:764
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 2926⤵
- Program crash
PID:4456
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 2884⤵
- Program crash
PID:3212
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 3002⤵
- Program crash
PID:388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4500 -ip 45001⤵PID:2952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3232 -ip 32321⤵PID:396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3660 -ip 36601⤵PID:3732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4692 -ip 46921⤵PID:1864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5ed0417e191446f7f4e053b63585c2d0a
SHA1f6241e869410b6d81fb190835661c44cbe7ea22b
SHA2568ebf08d531e2da83b4f7e3c266d15a6cfd9a3ae0ab8c21ccb9bc918722bd8f03
SHA512acaf4bd5cf5d7215ed0e640d91f720d2fd008f674884f2825ebf9f8eb694a006eeb51e79c18b067433d4f1c143910c95beb5ca525a57503eaa903efab479257a
-
Filesize
134KB
MD5828a5448e352a307c1bd8cd0cf84380d
SHA1855c2f625af2b77ecb30ddcf649200cfe0a6de67
SHA256779a27f95728e26e69f84ea44f809b779d6f3f6cb65bcf1313bd34d543b9f2a7
SHA5124d270e8183bd8cfd06dc1bd2d6c15f6b502ec8df8fb6ee9c671e3eaf9337c9729a0f202b89242a51b76fb6c24c360e194a59ff2f5fc712088018eec326dda1a4
-
Filesize
134KB
MD54a6a24ce5da866a13f3033c01160cd0e
SHA11bad1dcc7987a65f9b6ce49a59b658d504441658
SHA256868180b762f2902446f39fc0b70db16c315d3641a28c1b16a01545082e7ccd57
SHA51254061341aa13a701fc4c44dd993e80a78d51f8f6c61a2783710344ec3472b677636bf98f4e516494a324c8fadb82fea212f399228a9e42058273f11994aa5b7f