Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 09:15
Static task
static1
Behavioral task
behavioral1
Sample
2b7b7ff52de860b729fdf80c48091be0N.exe
Resource
win7-20240705-en
General
-
Target
2b7b7ff52de860b729fdf80c48091be0N.exe
-
Size
134KB
-
MD5
2b7b7ff52de860b729fdf80c48091be0
-
SHA1
ea9926aff20c7767152a41cd9755009146aeae8f
-
SHA256
b06d7cd428c59e8ed614c3bf2475cadb03e6d20299fca47fd545fe5f7993be37
-
SHA512
2df0b1699abb5bea2a5ee8cd5712c6e4a9fb5e8ffb79283be529ffb1bbbe72eee4c82db89f35f5ec1d529285d87f25f9c7787235648f66b62f7eea7f7fa5e967
-
SSDEEP
1536:sDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:SiRTeH0NqAW6J6f1tqF6dngNmaZC7M
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2348 omsecor.exe 2992 omsecor.exe 796 omsecor.exe 1880 omsecor.exe 1292 omsecor.exe 1940 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
2b7b7ff52de860b729fdf80c48091be0N.exeomsecor.exeomsecor.exeomsecor.exepid process 2632 2b7b7ff52de860b729fdf80c48091be0N.exe 2632 2b7b7ff52de860b729fdf80c48091be0N.exe 2348 omsecor.exe 2992 omsecor.exe 2992 omsecor.exe 1880 omsecor.exe 1880 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
2b7b7ff52de860b729fdf80c48091be0N.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2040 set thread context of 2632 2040 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 2348 set thread context of 2992 2348 omsecor.exe omsecor.exe PID 796 set thread context of 1880 796 omsecor.exe omsecor.exe PID 1292 set thread context of 1940 1292 omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exe2b7b7ff52de860b729fdf80c48091be0N.exe2b7b7ff52de860b729fdf80c48091be0N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b7b7ff52de860b729fdf80c48091be0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b7b7ff52de860b729fdf80c48091be0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
2b7b7ff52de860b729fdf80c48091be0N.exe2b7b7ff52de860b729fdf80c48091be0N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2040 wrote to memory of 2632 2040 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 2040 wrote to memory of 2632 2040 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 2040 wrote to memory of 2632 2040 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 2040 wrote to memory of 2632 2040 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 2040 wrote to memory of 2632 2040 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 2040 wrote to memory of 2632 2040 2b7b7ff52de860b729fdf80c48091be0N.exe 2b7b7ff52de860b729fdf80c48091be0N.exe PID 2632 wrote to memory of 2348 2632 2b7b7ff52de860b729fdf80c48091be0N.exe omsecor.exe PID 2632 wrote to memory of 2348 2632 2b7b7ff52de860b729fdf80c48091be0N.exe omsecor.exe PID 2632 wrote to memory of 2348 2632 2b7b7ff52de860b729fdf80c48091be0N.exe omsecor.exe PID 2632 wrote to memory of 2348 2632 2b7b7ff52de860b729fdf80c48091be0N.exe omsecor.exe PID 2348 wrote to memory of 2992 2348 omsecor.exe omsecor.exe PID 2348 wrote to memory of 2992 2348 omsecor.exe omsecor.exe PID 2348 wrote to memory of 2992 2348 omsecor.exe omsecor.exe PID 2348 wrote to memory of 2992 2348 omsecor.exe omsecor.exe PID 2348 wrote to memory of 2992 2348 omsecor.exe omsecor.exe PID 2348 wrote to memory of 2992 2348 omsecor.exe omsecor.exe PID 2992 wrote to memory of 796 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 796 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 796 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 796 2992 omsecor.exe omsecor.exe PID 796 wrote to memory of 1880 796 omsecor.exe omsecor.exe PID 796 wrote to memory of 1880 796 omsecor.exe omsecor.exe PID 796 wrote to memory of 1880 796 omsecor.exe omsecor.exe PID 796 wrote to memory of 1880 796 omsecor.exe omsecor.exe PID 796 wrote to memory of 1880 796 omsecor.exe omsecor.exe PID 796 wrote to memory of 1880 796 omsecor.exe omsecor.exe PID 1880 wrote to memory of 1292 1880 omsecor.exe omsecor.exe PID 1880 wrote to memory of 1292 1880 omsecor.exe omsecor.exe PID 1880 wrote to memory of 1292 1880 omsecor.exe omsecor.exe PID 1880 wrote to memory of 1292 1880 omsecor.exe omsecor.exe PID 1292 wrote to memory of 1940 1292 omsecor.exe omsecor.exe PID 1292 wrote to memory of 1940 1292 omsecor.exe omsecor.exe PID 1292 wrote to memory of 1940 1292 omsecor.exe omsecor.exe PID 1292 wrote to memory of 1940 1292 omsecor.exe omsecor.exe PID 1292 wrote to memory of 1940 1292 omsecor.exe omsecor.exe PID 1292 wrote to memory of 1940 1292 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe"C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exeC:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5d59a13ea72f897a24726076db30846c7
SHA10a022af01e295d08a70ecdf5d5b750d3ebddcc83
SHA25634d79aa25375ad114221a9943231552ac55b3efd3227dede0ca13e866762d264
SHA512ac058deeff0f3cf0ad8bffdc5ef0e186697c1d86730edec624f11dba8429a084b19f46209e63e9e24f762bd8b6cd178fd95e264b02d65efb85113513f1339977
-
Filesize
134KB
MD538a2f8360d54708fa2685e1bce9232c1
SHA10a5b2ef92873883c607a3a3a4fb2355e2b3a44f7
SHA256e220dc1d4c880a7575f23101fbf9693b8142f87f8e6e78ca7724cec401e6248a
SHA512602d92f6863586f44d6ebbfd41cafb1318ec5f78ff21426d91f240068b415230fee1ad9498a0058c3e054661975a954da65e4aaa8decbfdef219cd48280c605b
-
Filesize
134KB
MD5a7dac709ac7abdc75edadf9591d5a6ec
SHA1c670ce6e146b68505ed77bbf1c00328b54a79b07
SHA256b153feefb6c7c36d45a5090d8ac3e61f05ca08b8df123bff1271a0a83e5c4eba
SHA5127b0ed57f51efca9ba968beab877e455b061aa08fe8d035c061b03a9cf27593f0c20d9666081dabf57d885614eec1a4bc94e0979af801e8ad1f8d6a697eff97aa