Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 21:44
Behavioral task
behavioral1
Sample
d9bae2c5b0211e4af81d661f5497bb10N.exe
Resource
win7-20240708-en
General
-
Target
d9bae2c5b0211e4af81d661f5497bb10N.exe
-
Size
35KB
-
MD5
d9bae2c5b0211e4af81d661f5497bb10
-
SHA1
9ed10a2d5a856f769b4e512c7169cfb36471305e
-
SHA256
13221c391e1e8abb8d39a31c1ecdc3d09f275c84cde02dc8511e0ca599f86e94
-
SHA512
1547c2a99c45d1b7cc7a2b77df17a01471a432ae68b4efd16890fea1479a46961dca123c3a66f5f1a5c052bc4d5e7739c9267a29b2d1ef4850de65c7a223c28f
-
SSDEEP
768:j6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:e8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3024 omsecor.exe 1968 omsecor.exe 2016 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
d9bae2c5b0211e4af81d661f5497bb10N.exeomsecor.exeomsecor.exepid process 2980 d9bae2c5b0211e4af81d661f5497bb10N.exe 2980 d9bae2c5b0211e4af81d661f5497bb10N.exe 3024 omsecor.exe 3024 omsecor.exe 1968 omsecor.exe 1968 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2980-0-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/3024-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2980-10-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3024-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3024-18-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3024-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3024-24-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/3024-27-0x0000000000280000-0x00000000002AD000-memory.dmp upx behavioral1/memory/3024-35-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2016-48-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1968-46-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2016-50-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exed9bae2c5b0211e4af81d661f5497bb10N.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9bae2c5b0211e4af81d661f5497bb10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d9bae2c5b0211e4af81d661f5497bb10N.exeomsecor.exeomsecor.exedescription pid process target process PID 2980 wrote to memory of 3024 2980 d9bae2c5b0211e4af81d661f5497bb10N.exe omsecor.exe PID 2980 wrote to memory of 3024 2980 d9bae2c5b0211e4af81d661f5497bb10N.exe omsecor.exe PID 2980 wrote to memory of 3024 2980 d9bae2c5b0211e4af81d661f5497bb10N.exe omsecor.exe PID 2980 wrote to memory of 3024 2980 d9bae2c5b0211e4af81d661f5497bb10N.exe omsecor.exe PID 3024 wrote to memory of 1968 3024 omsecor.exe omsecor.exe PID 3024 wrote to memory of 1968 3024 omsecor.exe omsecor.exe PID 3024 wrote to memory of 1968 3024 omsecor.exe omsecor.exe PID 3024 wrote to memory of 1968 3024 omsecor.exe omsecor.exe PID 1968 wrote to memory of 2016 1968 omsecor.exe omsecor.exe PID 1968 wrote to memory of 2016 1968 omsecor.exe omsecor.exe PID 1968 wrote to memory of 2016 1968 omsecor.exe omsecor.exe PID 1968 wrote to memory of 2016 1968 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe"C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD528e15ebe825005fa203f31f0796e4fd3
SHA14439062f9b11086cf495e71d500984434769fea1
SHA256b2d7505c13ffbe51445530ddd84af467a855bb116707ffffb47b453da45db7d0
SHA5123937b4f343f96255b287a3d6d7f70f2013cdba9f57664ed168cfc2e173d663b1640c46974ecaac877cf233849dd6d4cd6b0ec627d26258ba76ba708affa60fac
-
Filesize
35KB
MD5c274258de3287c20ac8bd8ed05b473cd
SHA1bb9fd75fa5a37efe12b4404a3a9794458482fb8f
SHA256ed651414c4bbc683b48fef0ddf09a8037df2b9728e8f3456b415e22063d1a228
SHA51293b61d5b7f3003d4a8fa0f713430d3f3310650b5370ba622951910629ee57a11e54f91ee6d8acd4e19c8c680b788f0adaa51d37c0670091dd86e7fb4feb4ea9b
-
Filesize
35KB
MD5f717fb9336e14dfe3528ba5479f06158
SHA19bcbbd07929ae8c8237d5a6cdf559f8a3fd543cc
SHA2562f4915b55b3dc558faafb01ad1869415b65d91eb42037c6dbe4b01cbb2b2cffe
SHA51222f4ff7a737ce22cc2fe3967ce2fc04f21d1169e289394580bea821255deed7be0490217ef190dcba92c5c31687f6c20614962f603fec81b28c985c3fbc838eb