Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 06:54
Static task
static1
Behavioral task
behavioral1
Sample
43f1333d880fc73b01ecd2d0ebbd3370N.exe
Resource
win7-20240705-en
General
-
Target
43f1333d880fc73b01ecd2d0ebbd3370N.exe
-
Size
134KB
-
MD5
43f1333d880fc73b01ecd2d0ebbd3370
-
SHA1
936df6890c1dc0bfad6f0ba0c517ee4ff028b6cc
-
SHA256
dc6e701613bc61254f3f02b3e584e7462444789940d3727280086a8cebeef89a
-
SHA512
b50eeb6948ed7c58f32054b008e334e3c05be438e3958ee0e301cc27ad2b6b9844d61828fc470dd93c9b9110f9213517f58e4507d32baa1b31224b9db2ddf7e8
-
SSDEEP
1536:oDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:OiRTeH0NqAW6J6f1tqF6dngNmaZC7M
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2816 omsecor.exe 2636 omsecor.exe 2748 omsecor.exe 2212 omsecor.exe 1624 omsecor.exe 2036 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
43f1333d880fc73b01ecd2d0ebbd3370N.exeomsecor.exeomsecor.exeomsecor.exepid process 2080 43f1333d880fc73b01ecd2d0ebbd3370N.exe 2080 43f1333d880fc73b01ecd2d0ebbd3370N.exe 2816 omsecor.exe 2636 omsecor.exe 2636 omsecor.exe 2212 omsecor.exe 2212 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
43f1333d880fc73b01ecd2d0ebbd3370N.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2852 set thread context of 2080 2852 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 2816 set thread context of 2636 2816 omsecor.exe omsecor.exe PID 2748 set thread context of 2212 2748 omsecor.exe omsecor.exe PID 1624 set thread context of 2036 1624 omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exe43f1333d880fc73b01ecd2d0ebbd3370N.exe43f1333d880fc73b01ecd2d0ebbd3370N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43f1333d880fc73b01ecd2d0ebbd3370N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43f1333d880fc73b01ecd2d0ebbd3370N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
43f1333d880fc73b01ecd2d0ebbd3370N.exe43f1333d880fc73b01ecd2d0ebbd3370N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2852 wrote to memory of 2080 2852 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 2852 wrote to memory of 2080 2852 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 2852 wrote to memory of 2080 2852 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 2852 wrote to memory of 2080 2852 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 2852 wrote to memory of 2080 2852 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 2852 wrote to memory of 2080 2852 43f1333d880fc73b01ecd2d0ebbd3370N.exe 43f1333d880fc73b01ecd2d0ebbd3370N.exe PID 2080 wrote to memory of 2816 2080 43f1333d880fc73b01ecd2d0ebbd3370N.exe omsecor.exe PID 2080 wrote to memory of 2816 2080 43f1333d880fc73b01ecd2d0ebbd3370N.exe omsecor.exe PID 2080 wrote to memory of 2816 2080 43f1333d880fc73b01ecd2d0ebbd3370N.exe omsecor.exe PID 2080 wrote to memory of 2816 2080 43f1333d880fc73b01ecd2d0ebbd3370N.exe omsecor.exe PID 2816 wrote to memory of 2636 2816 omsecor.exe omsecor.exe PID 2816 wrote to memory of 2636 2816 omsecor.exe omsecor.exe PID 2816 wrote to memory of 2636 2816 omsecor.exe omsecor.exe PID 2816 wrote to memory of 2636 2816 omsecor.exe omsecor.exe PID 2816 wrote to memory of 2636 2816 omsecor.exe omsecor.exe PID 2816 wrote to memory of 2636 2816 omsecor.exe omsecor.exe PID 2636 wrote to memory of 2748 2636 omsecor.exe omsecor.exe PID 2636 wrote to memory of 2748 2636 omsecor.exe omsecor.exe PID 2636 wrote to memory of 2748 2636 omsecor.exe omsecor.exe PID 2636 wrote to memory of 2748 2636 omsecor.exe omsecor.exe PID 2748 wrote to memory of 2212 2748 omsecor.exe omsecor.exe PID 2748 wrote to memory of 2212 2748 omsecor.exe omsecor.exe PID 2748 wrote to memory of 2212 2748 omsecor.exe omsecor.exe PID 2748 wrote to memory of 2212 2748 omsecor.exe omsecor.exe PID 2748 wrote to memory of 2212 2748 omsecor.exe omsecor.exe PID 2748 wrote to memory of 2212 2748 omsecor.exe omsecor.exe PID 2212 wrote to memory of 1624 2212 omsecor.exe omsecor.exe PID 2212 wrote to memory of 1624 2212 omsecor.exe omsecor.exe PID 2212 wrote to memory of 1624 2212 omsecor.exe omsecor.exe PID 2212 wrote to memory of 1624 2212 omsecor.exe omsecor.exe PID 1624 wrote to memory of 2036 1624 omsecor.exe omsecor.exe PID 1624 wrote to memory of 2036 1624 omsecor.exe omsecor.exe PID 1624 wrote to memory of 2036 1624 omsecor.exe omsecor.exe PID 1624 wrote to memory of 2036 1624 omsecor.exe omsecor.exe PID 1624 wrote to memory of 2036 1624 omsecor.exe omsecor.exe PID 1624 wrote to memory of 2036 1624 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43f1333d880fc73b01ecd2d0ebbd3370N.exe"C:\Users\Admin\AppData\Local\Temp\43f1333d880fc73b01ecd2d0ebbd3370N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\43f1333d880fc73b01ecd2d0ebbd3370N.exeC:\Users\Admin\AppData\Local\Temp\43f1333d880fc73b01ecd2d0ebbd3370N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD53d7b5d84e8b2c05e47f7240af033ee95
SHA1828a693d9127233cf978d1b9a42a4ae2c04f2ea3
SHA256584d5fec78e14082ecd0f8ec1c823265c088d6bdaf66fb3bd6f2c3eb88937d86
SHA512a113268f1ae48eb99df56335e2688c3b1fcb20d05bad4831c85e0fba5d7addfd96db3364a3c8a6e3ba33127709f4e4e3ba3dd0b5ff67f5674690396eb21de8ba
-
Filesize
134KB
MD57d8439ccdf11d7e851ecdf1ce441ab4e
SHA1d52ac78f5d1e1b09001d3293b9819bb9cd0137b0
SHA2561d50b988ce6eb0cc36c7a5efc716a9eb99bbc49c33499ca89f05e7f960e3e464
SHA5127912b77eba9e1bd387d3e45cb278545fef0d9b63ea3cd22581caf1ddd06e19b352f78c1ed98125b7dcc8f41f1be168f3e3ccf4ab2f295592a2e2fa03f6c6aa9b
-
Filesize
134KB
MD5be9bc9eea78cda6b10e7400ed99361fa
SHA1c0eaa7e16583dd1fcfe5dbfd309a151f6f9f84b6
SHA2563811e03cce1b96e5061d04a293fcb09025f649cc8f5861d69d289e46bb2f2d95
SHA51264d5361696a17e3d21e24d2562863f9c24fdeaed273b6c9d1ada1a3881f39157ec7747b612d53eed04b754e4758714e60b6749536e46ea0d735d96454b0881e5