Analysis
-
max time kernel
115s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 05:50
Static task
static1
Behavioral task
behavioral1
Sample
20cf26a21e2369301dc9074311243430N.exe
Resource
win7-20240704-en
General
-
Target
20cf26a21e2369301dc9074311243430N.exe
-
Size
33KB
-
MD5
20cf26a21e2369301dc9074311243430
-
SHA1
178b8933ecaf6919e4bec3844bb138ddbc67412c
-
SHA256
3343e7feb1c5fbcdfb52fb8194c669177c7b784794c5253fe33b213e59835794
-
SHA512
c57fb0ed25165dd925b485c9eaebd40424052afa11d1af9a5cc3c16202eebc5911f5f3fecc9705fc085c389ee990eaf94400d68174be42835179ddf057615bd9
-
SSDEEP
768:OfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:OfVRztyHo8QNHTk0qE5fslvN/956q
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2156 omsecor.exe 1980 omsecor.exe 1380 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
20cf26a21e2369301dc9074311243430N.exeomsecor.exeomsecor.exepid process 1848 20cf26a21e2369301dc9074311243430N.exe 1848 20cf26a21e2369301dc9074311243430N.exe 2156 omsecor.exe 2156 omsecor.exe 1980 omsecor.exe 1980 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
20cf26a21e2369301dc9074311243430N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20cf26a21e2369301dc9074311243430N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
20cf26a21e2369301dc9074311243430N.exeomsecor.exeomsecor.exedescription pid process target process PID 1848 wrote to memory of 2156 1848 20cf26a21e2369301dc9074311243430N.exe omsecor.exe PID 1848 wrote to memory of 2156 1848 20cf26a21e2369301dc9074311243430N.exe omsecor.exe PID 1848 wrote to memory of 2156 1848 20cf26a21e2369301dc9074311243430N.exe omsecor.exe PID 1848 wrote to memory of 2156 1848 20cf26a21e2369301dc9074311243430N.exe omsecor.exe PID 2156 wrote to memory of 1980 2156 omsecor.exe omsecor.exe PID 2156 wrote to memory of 1980 2156 omsecor.exe omsecor.exe PID 2156 wrote to memory of 1980 2156 omsecor.exe omsecor.exe PID 2156 wrote to memory of 1980 2156 omsecor.exe omsecor.exe PID 1980 wrote to memory of 1380 1980 omsecor.exe omsecor.exe PID 1980 wrote to memory of 1380 1980 omsecor.exe omsecor.exe PID 1980 wrote to memory of 1380 1980 omsecor.exe omsecor.exe PID 1980 wrote to memory of 1380 1980 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20cf26a21e2369301dc9074311243430N.exe"C:\Users\Admin\AppData\Local\Temp\20cf26a21e2369301dc9074311243430N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD536e09929e35c9c312c6b2e069c7233ea
SHA1c8f452a4fc4c078dba3e529906818313332fc846
SHA2565e84bbeedf022d819371d3c4d643671d2db2444e65b8ad7cd7df6921096e2b7b
SHA51253f4b9aea01e3c6f453bdc9e51ae0f7a9c39c03d7b32aa9a0b348c1bc959939c00b0e1fa0a1c6d7d2c180e9537a63e22400f3d60bbdeec3360545679ebf5d473
-
Filesize
33KB
MD50cf8fcef8eef625b25dbbcdc4bedfaad
SHA16b185736fcd27cc525df01f94bba01b67b13f819
SHA256c44cfb7d0e63ee24281c38c09066e230dc0438f9b8d903ca95a8c44c33cff653
SHA5123ec6b7f3e4f015d839c410a38d978d338195a0f235edbbb53c9d7657a95c3cdef407689c912edcbd48c175a3d5a15691cab1852ca0a93abba8bbdacea203bfa1
-
Filesize
33KB
MD519ea4e3a3305bcea790611e70f0b935b
SHA1ae36114d3a2e867ac768daa9266fa476808eea60
SHA2567655659c2b9bc164f36ffaafb9f26412a42d78ed3280e3550fe28d0dd2c83c34
SHA5126d4f893636064d3ddb4e0c1040c3590e6781ccb19c27b792fca2bb450c43d2c4eb31389a1050212d1390b4ed55cb53faaf7f09b3788874871edaf53579d886ff