Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 23:16
Behavioral task
behavioral1
Sample
ab4dedf6e12a49ee8bedf85b3203a7f0N.exe
Resource
win7-20240705-en
General
-
Target
ab4dedf6e12a49ee8bedf85b3203a7f0N.exe
-
Size
90KB
-
MD5
ab4dedf6e12a49ee8bedf85b3203a7f0
-
SHA1
a32da655f101dfb2ac73a963fc72f5d17cd07206
-
SHA256
3203cfa8739f2b1fa705f3230662cbcf868a71f43df5d0b4d31582d89ab9c926
-
SHA512
ab5dafc1cdef7bc391a345333bf954aed47d2f12fb2d707ddad70b9e0abf54d8ccc45688b3dce8ec7b4c25343f40674a6b1ffed0af93a646dd4b90926967eda5
-
SSDEEP
768:jMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA:jbIvYvZEyFKF6N4aS5AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2196 omsecor.exe 2920 omsecor.exe 236 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
ab4dedf6e12a49ee8bedf85b3203a7f0N.exeomsecor.exeomsecor.exepid process 2348 ab4dedf6e12a49ee8bedf85b3203a7f0N.exe 2348 ab4dedf6e12a49ee8bedf85b3203a7f0N.exe 2196 omsecor.exe 2196 omsecor.exe 2920 omsecor.exe 2920 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exeab4dedf6e12a49ee8bedf85b3203a7f0N.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab4dedf6e12a49ee8bedf85b3203a7f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ab4dedf6e12a49ee8bedf85b3203a7f0N.exeomsecor.exeomsecor.exedescription pid process target process PID 2348 wrote to memory of 2196 2348 ab4dedf6e12a49ee8bedf85b3203a7f0N.exe omsecor.exe PID 2348 wrote to memory of 2196 2348 ab4dedf6e12a49ee8bedf85b3203a7f0N.exe omsecor.exe PID 2348 wrote to memory of 2196 2348 ab4dedf6e12a49ee8bedf85b3203a7f0N.exe omsecor.exe PID 2348 wrote to memory of 2196 2348 ab4dedf6e12a49ee8bedf85b3203a7f0N.exe omsecor.exe PID 2196 wrote to memory of 2920 2196 omsecor.exe omsecor.exe PID 2196 wrote to memory of 2920 2196 omsecor.exe omsecor.exe PID 2196 wrote to memory of 2920 2196 omsecor.exe omsecor.exe PID 2196 wrote to memory of 2920 2196 omsecor.exe omsecor.exe PID 2920 wrote to memory of 236 2920 omsecor.exe omsecor.exe PID 2920 wrote to memory of 236 2920 omsecor.exe omsecor.exe PID 2920 wrote to memory of 236 2920 omsecor.exe omsecor.exe PID 2920 wrote to memory of 236 2920 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab4dedf6e12a49ee8bedf85b3203a7f0N.exe"C:\Users\Admin\AppData\Local\Temp\ab4dedf6e12a49ee8bedf85b3203a7f0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:236
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5f552ca15710cf1d95beac0800a810cbe
SHA1e3d36705c8b209ca3b5c1cb06d82643218b4d817
SHA256e3024e531e8aa641f159d9094a61fdb6b55d4dc4452879272bc6d5c206abe646
SHA512f10ba157f391c41771fd2615088e5c58343e807dc43f704d44c1eef93728bea2de92b7643bc24832264eace531cf33808e6a1c3e9fc66538ea19845fa1b27065
-
Filesize
90KB
MD58d53ad0bb610bc8f1107e7badf841fae
SHA121806882fe089757ebd89b63985b761f2ee9bcd2
SHA25642ac68a5607f4c305d0dcd4a5404513fa7a0beac224e2e8a08f771320ed81706
SHA512b61afd788581ecb3a5c1a7bb48938f813f2b3814091e40cd60827a379b1ebc6a8a5324d54b12f62acd44a399e0d9131108eae49efee677354ef71a74a9ae4072
-
Filesize
90KB
MD52aaccc003be549d8e3a1c2279c6f09f5
SHA1d2ae304ac60778c352679c73b2ac446ace9f035f
SHA256daac198c25ae971705e46e64266468e42b086ba6961bf51f4d20b7c6eb89ee68
SHA5125e5b0343674d745f677ac22339250d828d0265e3dd6c0ea1c1329a4f9cdbf8b35c9518ba3d1f411d0c6a1802a8c700df7f919d23192679db8dac8d79af847958