Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 09:18
Behavioral task
behavioral1
Sample
d37325fa6d16e231fe954451da014930N.exe
Resource
win7-20240704-en
General
-
Target
d37325fa6d16e231fe954451da014930N.exe
-
Size
80KB
-
MD5
d37325fa6d16e231fe954451da014930
-
SHA1
59f2ca54376d026804105d04664edfa9ce5320e4
-
SHA256
dabab0c6eb8f980f737cec377f243b17c7bc0ab4d8e85f7522a248d9de86bd71
-
SHA512
de5c7acd5d633ec2c920617f557ebd1e1ad1f17ca4338befebb2a568c1d837432f3c8144624b172b564e81100d7c392781818f40e400c9401333f90d1a44212c
-
SSDEEP
768:JfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:JfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2796 omsecor.exe 344 omsecor.exe 2928 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
d37325fa6d16e231fe954451da014930N.exeomsecor.exeomsecor.exepid process 2736 d37325fa6d16e231fe954451da014930N.exe 2736 d37325fa6d16e231fe954451da014930N.exe 2796 omsecor.exe 2796 omsecor.exe 344 omsecor.exe 344 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d37325fa6d16e231fe954451da014930N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d37325fa6d16e231fe954451da014930N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d37325fa6d16e231fe954451da014930N.exeomsecor.exeomsecor.exedescription pid process target process PID 2736 wrote to memory of 2796 2736 d37325fa6d16e231fe954451da014930N.exe omsecor.exe PID 2736 wrote to memory of 2796 2736 d37325fa6d16e231fe954451da014930N.exe omsecor.exe PID 2736 wrote to memory of 2796 2736 d37325fa6d16e231fe954451da014930N.exe omsecor.exe PID 2736 wrote to memory of 2796 2736 d37325fa6d16e231fe954451da014930N.exe omsecor.exe PID 2796 wrote to memory of 344 2796 omsecor.exe omsecor.exe PID 2796 wrote to memory of 344 2796 omsecor.exe omsecor.exe PID 2796 wrote to memory of 344 2796 omsecor.exe omsecor.exe PID 2796 wrote to memory of 344 2796 omsecor.exe omsecor.exe PID 344 wrote to memory of 2928 344 omsecor.exe omsecor.exe PID 344 wrote to memory of 2928 344 omsecor.exe omsecor.exe PID 344 wrote to memory of 2928 344 omsecor.exe omsecor.exe PID 344 wrote to memory of 2928 344 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d37325fa6d16e231fe954451da014930N.exe"C:\Users\Admin\AppData\Local\Temp\d37325fa6d16e231fe954451da014930N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2928
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD51e6f8d8858edb98fe550eca414b5edc6
SHA15028cceb6098d77590ba9f5c159799cf41bc154a
SHA256096250bd2c0b57b42720425d766e3a7630f37771001fb5e16553a8812ea5a229
SHA5125205723b13deba96a782c68d27732b6d19e283dd5d1fa099e7d7b71ee4f1abe99a9135bcbfebdece63f61ee0bc65da518c403a01ac22f99740a8268f498a76ea
-
Filesize
80KB
MD516ec30c6a8e16045334a7bf543f37289
SHA1b7f3208eff4e9f52fd2e26fff1d38d7ff32de9cb
SHA256f64c5d1b5ee3daebbe1bdff34488dc31426a80e346f80de18994d71a0b7d7bfd
SHA51280703485d676ab1c30e3c87bd894ee3e093a9516ac704665764f214e92a9a34a9e85d458cc552d69f7b1a0c7212a1467d8aadfa4db9bd93d4810fb42233e8841
-
Filesize
80KB
MD55c000609e67c8f744b506292460bd334
SHA1de45107228cd12b07d0bf10fd5e32b46414b79a1
SHA2561b2153da8c4f374ae49a1c3ec50d3c1972cfdf3e42a353244278065ccf149f28
SHA512a66ee126c4a7fa7c05691f6e6aadeed9b8182b48de383f1ff649be6cbcc905b69bde9438ed72eb934e4eabe44b02e9d4264a0b171d11e3c05ca01943a91d55af