Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 05:58
Static task
static1
Behavioral task
behavioral1
Sample
5b002622f8369ec9e804b185e9376fc0N.exe
Resource
win7-20240704-en
General
-
Target
5b002622f8369ec9e804b185e9376fc0N.exe
-
Size
96KB
-
MD5
5b002622f8369ec9e804b185e9376fc0
-
SHA1
4d077d57f02736b585f5a72c7625905b856dcfb2
-
SHA256
0499beff84adc41da5dd97694023640d8fe1206730d8100ab5603b282af9e794
-
SHA512
438d707898c5006cbbfc73fef6e0507deff238d90c75601fab5d16c28faef76f8fc4de7f463b6ac1ec825d5bbc9e5a4179678aacaa9223b8f9ba9dd4155992bc
-
SSDEEP
1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:LGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2708 omsecor.exe 2612 omsecor.exe 2920 omsecor.exe 3052 omsecor.exe 1152 omsecor.exe 3060 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
5b002622f8369ec9e804b185e9376fc0N.exeomsecor.exeomsecor.exeomsecor.exepid process 2800 5b002622f8369ec9e804b185e9376fc0N.exe 2800 5b002622f8369ec9e804b185e9376fc0N.exe 2708 omsecor.exe 2612 omsecor.exe 2612 omsecor.exe 3052 omsecor.exe 3052 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
5b002622f8369ec9e804b185e9376fc0N.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2740 set thread context of 2800 2740 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2708 set thread context of 2612 2708 omsecor.exe omsecor.exe PID 2920 set thread context of 3052 2920 omsecor.exe omsecor.exe PID 1152 set thread context of 3060 1152 omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exe5b002622f8369ec9e804b185e9376fc0N.exe5b002622f8369ec9e804b185e9376fc0N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b002622f8369ec9e804b185e9376fc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b002622f8369ec9e804b185e9376fc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
5b002622f8369ec9e804b185e9376fc0N.exe5b002622f8369ec9e804b185e9376fc0N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2740 wrote to memory of 2800 2740 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2740 wrote to memory of 2800 2740 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2740 wrote to memory of 2800 2740 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2740 wrote to memory of 2800 2740 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2740 wrote to memory of 2800 2740 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2740 wrote to memory of 2800 2740 5b002622f8369ec9e804b185e9376fc0N.exe 5b002622f8369ec9e804b185e9376fc0N.exe PID 2800 wrote to memory of 2708 2800 5b002622f8369ec9e804b185e9376fc0N.exe omsecor.exe PID 2800 wrote to memory of 2708 2800 5b002622f8369ec9e804b185e9376fc0N.exe omsecor.exe PID 2800 wrote to memory of 2708 2800 5b002622f8369ec9e804b185e9376fc0N.exe omsecor.exe PID 2800 wrote to memory of 2708 2800 5b002622f8369ec9e804b185e9376fc0N.exe omsecor.exe PID 2708 wrote to memory of 2612 2708 omsecor.exe omsecor.exe PID 2708 wrote to memory of 2612 2708 omsecor.exe omsecor.exe PID 2708 wrote to memory of 2612 2708 omsecor.exe omsecor.exe PID 2708 wrote to memory of 2612 2708 omsecor.exe omsecor.exe PID 2708 wrote to memory of 2612 2708 omsecor.exe omsecor.exe PID 2708 wrote to memory of 2612 2708 omsecor.exe omsecor.exe PID 2612 wrote to memory of 2920 2612 omsecor.exe omsecor.exe PID 2612 wrote to memory of 2920 2612 omsecor.exe omsecor.exe PID 2612 wrote to memory of 2920 2612 omsecor.exe omsecor.exe PID 2612 wrote to memory of 2920 2612 omsecor.exe omsecor.exe PID 2920 wrote to memory of 3052 2920 omsecor.exe omsecor.exe PID 2920 wrote to memory of 3052 2920 omsecor.exe omsecor.exe PID 2920 wrote to memory of 3052 2920 omsecor.exe omsecor.exe PID 2920 wrote to memory of 3052 2920 omsecor.exe omsecor.exe PID 2920 wrote to memory of 3052 2920 omsecor.exe omsecor.exe PID 2920 wrote to memory of 3052 2920 omsecor.exe omsecor.exe PID 3052 wrote to memory of 1152 3052 omsecor.exe omsecor.exe PID 3052 wrote to memory of 1152 3052 omsecor.exe omsecor.exe PID 3052 wrote to memory of 1152 3052 omsecor.exe omsecor.exe PID 3052 wrote to memory of 1152 3052 omsecor.exe omsecor.exe PID 1152 wrote to memory of 3060 1152 omsecor.exe omsecor.exe PID 1152 wrote to memory of 3060 1152 omsecor.exe omsecor.exe PID 1152 wrote to memory of 3060 1152 omsecor.exe omsecor.exe PID 1152 wrote to memory of 3060 1152 omsecor.exe omsecor.exe PID 1152 wrote to memory of 3060 1152 omsecor.exe omsecor.exe PID 1152 wrote to memory of 3060 1152 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe"C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exeC:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5aca1022c081ce186ae4b4d4579efd1d2
SHA1c58f4d4ce2e1eeaeb24a0e24d945fcefdf97c621
SHA25690a7ae08a40fc047bce158a671b79bc36c12c081c3fbc87e4cf5d844b3ae71a2
SHA5122b2754bfdbea3257647294b4f1bd40c1ea2a14a0113a357ef4d995b3d45c6f758edcd4bbb135644106577d9c2a3507e61deadbb724ca6fe01c7ac82699731892
-
Filesize
96KB
MD57a8f7c59bbb9af784ac55885c7dbbcfb
SHA18d79e7d3fe7e048ea44b6cc08a1a7743d6775a3a
SHA2569b8f87a04a8de462330493773489db5a0b4274415b9c3875eb9e6d3e7978d242
SHA512349ea00a1731f48c9bccaf0dcfec09aea29a30a52f035f33692dc91d6efffa0d05c725dc07d7dedcbbe1f3b4eb26ba0a7ee00578ee5f9363aa363462ab553e71
-
Filesize
96KB
MD5873d0674c0111283bed51673f6698760
SHA19f32b0cdf83a2d852765aa22de5f1664a4288fcf
SHA2566ea7f6939aee5a67cccc560437a120f6b8bfb1a6ed39ff2a86b22449899975ca
SHA512241cb39f7b29080f0349e9a9cf4df43a326918f0be121202c8995c8b0d1ebc6420c691690311b933d10807784d60cd2e9b981e04cbb090db1c79a28182f00256