Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 08:35
Behavioral task
behavioral1
Sample
d7625c49eb9fad3a7ec0434a0f674d10N.exe
Resource
win7-20240705-en
General
-
Target
d7625c49eb9fad3a7ec0434a0f674d10N.exe
-
Size
248KB
-
MD5
d7625c49eb9fad3a7ec0434a0f674d10
-
SHA1
e0adbf5813a672c5a39ccc8978835df766bae9eb
-
SHA256
502122b7b1bb70ad90016451afddf796de362a2eca299f0af6948dd53a1e9a17
-
SHA512
594f7713ceac2a77569b70d836097d72678754c7d342f3e4a5892eb1489dbab6c893d9e369bd480e9f14bd6cbe173453d7ae170789a202809824c7fa21ffafe3
-
SSDEEP
1536:44d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:4IdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2524 omsecor.exe 580 omsecor.exe 1868 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
d7625c49eb9fad3a7ec0434a0f674d10N.exeomsecor.exeomsecor.exepid process 2176 d7625c49eb9fad3a7ec0434a0f674d10N.exe 2176 d7625c49eb9fad3a7ec0434a0f674d10N.exe 2524 omsecor.exe 2524 omsecor.exe 580 omsecor.exe 580 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2176-0-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2176-3-0x00000000001B0000-0x00000000001EE000-memory.dmp upx behavioral1/memory/2176-9-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2524-12-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2524-13-0x0000000000400000-0x000000000043E000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2524-25-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/580-27-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/580-32-0x0000000000220000-0x000000000025E000-memory.dmp upx behavioral1/memory/580-37-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1868-40-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d7625c49eb9fad3a7ec0434a0f674d10N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7625c49eb9fad3a7ec0434a0f674d10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d7625c49eb9fad3a7ec0434a0f674d10N.exeomsecor.exeomsecor.exedescription pid process target process PID 2176 wrote to memory of 2524 2176 d7625c49eb9fad3a7ec0434a0f674d10N.exe omsecor.exe PID 2176 wrote to memory of 2524 2176 d7625c49eb9fad3a7ec0434a0f674d10N.exe omsecor.exe PID 2176 wrote to memory of 2524 2176 d7625c49eb9fad3a7ec0434a0f674d10N.exe omsecor.exe PID 2176 wrote to memory of 2524 2176 d7625c49eb9fad3a7ec0434a0f674d10N.exe omsecor.exe PID 2524 wrote to memory of 580 2524 omsecor.exe omsecor.exe PID 2524 wrote to memory of 580 2524 omsecor.exe omsecor.exe PID 2524 wrote to memory of 580 2524 omsecor.exe omsecor.exe PID 2524 wrote to memory of 580 2524 omsecor.exe omsecor.exe PID 580 wrote to memory of 1868 580 omsecor.exe omsecor.exe PID 580 wrote to memory of 1868 580 omsecor.exe omsecor.exe PID 580 wrote to memory of 1868 580 omsecor.exe omsecor.exe PID 580 wrote to memory of 1868 580 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7625c49eb9fad3a7ec0434a0f674d10N.exe"C:\Users\Admin\AppData\Local\Temp\d7625c49eb9fad3a7ec0434a0f674d10N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5433dbad318d2e4c4391df92107ecdf08
SHA15fa78d6acc5115a4099b3f8f4af15d6362ead3ee
SHA2564fdcf0778ccc566481f1f5cc1320076b32342ed4c7f0520c3d7be4edbbfcde40
SHA512906513a8b08bfcb3050a65e3b1f2dab5aa137c492ae1485850345369513e63338938aca89e520fa1823d44938f5f81d58f574001b851a220669777b760ff812a
-
Filesize
248KB
MD540d7dd2366a3a74288677f5a67f51a7d
SHA1050f3e2c9ae5ecd20b4d8dd6c6d49b3448e39f5a
SHA2567367b530ad15c4710e7d8b92b67c06a53a9bbabcccaf63db880c60fb01ffe5eb
SHA51243997e94ee65eb6a73beff7714cae529cce2fef35c48813d4d98142a52abb86a886fb666464fe7019da30ca0c7790f49a82034d5050bf555d0661840465613d4
-
Filesize
248KB
MD54250f99935f9480fc7ec1bc2bd165dd1
SHA1c24d7340e6cb6d84a1ed8deffa0955a26b93c52e
SHA25643daeeb5ad09d27929c9416d400cb84cc3aba91c5eed4eafc09d709a6fc86c8b
SHA5128e6ad3b9eed425ce32aa0f736f0cbf0c4851559c52c3c109b187f3b9eca78f7d057741270706ba3fa5e4a047469210eaf04bf60b80a3ceaddf57650f30b7bbc0