Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 19:25
Behavioral task
behavioral1
Sample
72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe
Resource
win7-20240903-en
General
-
Target
72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe
-
Size
248KB
-
MD5
cb9a9db3e21843a9a051a52d2b53a290
-
SHA1
09eb7fb0f9991cd659bd3bb4d30593c16cc5aa2a
-
SHA256
72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233
-
SHA512
b965d755ec7fa481b707fca08a56e4664a51434b7fdead42e6e465a03191bd59d5cae9005b2698bfbef4ed659d57f046f6c4fc07b79c5ca5d969b4d60e39f427
-
SSDEEP
1536:N4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:NIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 5012 omsecor.exe 3524 omsecor.exe 4180 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
resource yara_rule behavioral2/memory/4028-0-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/files/0x0009000000023c7c-4.dat upx behavioral2/memory/5012-6-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4028-5-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/5012-7-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/files/0x0011000000023b34-10.dat upx behavioral2/memory/3524-11-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/5012-12-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/3524-16-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/files/0x0009000000023c7c-17.dat upx behavioral2/memory/4180-18-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4180-20-0x0000000000400000-0x000000000043E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4028 wrote to memory of 5012 4028 72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe 84 PID 4028 wrote to memory of 5012 4028 72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe 84 PID 4028 wrote to memory of 5012 4028 72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe 84 PID 5012 wrote to memory of 3524 5012 omsecor.exe 100 PID 5012 wrote to memory of 3524 5012 omsecor.exe 100 PID 5012 wrote to memory of 3524 5012 omsecor.exe 100 PID 3524 wrote to memory of 4180 3524 omsecor.exe 101 PID 3524 wrote to memory of 4180 3524 omsecor.exe 101 PID 3524 wrote to memory of 4180 3524 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe"C:\Users\Admin\AppData\Local\Temp\72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4180
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD583b7793f3e59ad032df6761b650c7acc
SHA16c4c707f8088e7a5c288fc0f657f1c1ca0b4a6e2
SHA25644505c5f3a38a59907c3e258819f76dda475a6bb1c79a8d9497479cadd016c3e
SHA512135beb0872d215ca42293f7b65a03da5772a5cf87af1a8165dd3b9130491ef884255f2d35f32ee768d62843ae03758ec0349268289cbc1aa038e0e299f826c44
-
Filesize
248KB
MD53077688e9f0e52130136acce595b635d
SHA1e7ed932981f5b02422eb67796d4d8b445fd5476f
SHA256215f905c81b9b0e195489955b0e0f32c0af1557ad346f8b632a29c74c84fd7ac
SHA5122bea727ef0ca55bac277d16c65ed41d20a71d920aba8e085c0abc6d4e791a0372eda330a08a64c5d8f74cc090466a943f4ff236fcdbb3194986872a59c6a4b56
-
Filesize
248KB
MD59bb8ba9fbc4759f542e8fc8a52bee45f
SHA195543e87afaa8a33ae0e580bbea9fe5f7cfab896
SHA256d58ca27a74e2bd4ea8404823c9adf18551b5afed0119221e5b294486b8f66711
SHA51280b1292afd5bc12a728c39a3f1450aafc5a5b2bf5d08d45c5019afec2c35d3911496c6be94cc65c1b1667fa136515449aec575cb7cd690c4c11e5269d8381ff7