Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 09:09
Behavioral task
behavioral1
Sample
759b81d87e3790c1e1a5eb0e8ca191c0N.exe
Resource
win7-20240704-en
General
-
Target
759b81d87e3790c1e1a5eb0e8ca191c0N.exe
-
Size
71KB
-
MD5
759b81d87e3790c1e1a5eb0e8ca191c0
-
SHA1
187790f1e2c75ef8fad872b78e60337e01a5ec93
-
SHA256
d53e63679f7902887c20b9587c6ac16fbce6f22b4b3d918027644217908fdabe
-
SHA512
102e5e6822b9da768f6e9b2a4b7de2cb2eb956bb4c92fd4372147dab7f705f0ae90ee2ec3baafef80f43d79d7a8d51427632bbc5984bd0331bf5acbc506a4cff
-
SSDEEP
1536:ed9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:GdseIOMEZEyFjEOFqTiQmQDHIbH
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 2872 omsecor.exe 2972 omsecor.exe -
Loads dropped DLL 4 IoCs
Processes:
759b81d87e3790c1e1a5eb0e8ca191c0N.exeomsecor.exepid process 2468 759b81d87e3790c1e1a5eb0e8ca191c0N.exe 2468 759b81d87e3790c1e1a5eb0e8ca191c0N.exe 2872 omsecor.exe 2872 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
759b81d87e3790c1e1a5eb0e8ca191c0N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 759b81d87e3790c1e1a5eb0e8ca191c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
759b81d87e3790c1e1a5eb0e8ca191c0N.exeomsecor.exedescription pid process target process PID 2468 wrote to memory of 2872 2468 759b81d87e3790c1e1a5eb0e8ca191c0N.exe omsecor.exe PID 2468 wrote to memory of 2872 2468 759b81d87e3790c1e1a5eb0e8ca191c0N.exe omsecor.exe PID 2468 wrote to memory of 2872 2468 759b81d87e3790c1e1a5eb0e8ca191c0N.exe omsecor.exe PID 2468 wrote to memory of 2872 2468 759b81d87e3790c1e1a5eb0e8ca191c0N.exe omsecor.exe PID 2872 wrote to memory of 2972 2872 omsecor.exe omsecor.exe PID 2872 wrote to memory of 2972 2872 omsecor.exe omsecor.exe PID 2872 wrote to memory of 2972 2872 omsecor.exe omsecor.exe PID 2872 wrote to memory of 2972 2872 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe"C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5b2eff1323a1ffb0533429e2da8a9642d
SHA19aa55585d58ce023f3e47922f82f8febd775de29
SHA256b964fcd6f67c044c652090cf821b8f1fd1cc7956d38f5feccaf62e773d61b68d
SHA512d5ede1b0aaef977c79e16ec5e7401a241e53471d7ce8d4efb0c6453560e7dadbb766da36d4d546b7657b282804374da9052c869756e94dd01e1f765b6a5b50b7
-
Filesize
71KB
MD578daca9d26d576398a39d113ec1b58a2
SHA14c77d30b7037eb3da513f96c549e9c8aff5d7705
SHA256cbbff1931e290c5d1f1b731de2a396a7a5c842279d6c59a13fe2f203e1413999
SHA5128fa3c27137ae57e70b203618c303329d0b71edbfce3263dc9844bd29e79c1b0e691d484fe5b4c5a2ff527f055020a407db9e1b9fc7e73d91e8a263a4f1e180ec