Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 09:46
Behavioral task
behavioral1
Sample
d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe
Resource
win7-20240704-en
General
-
Target
d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe
-
Size
71KB
-
MD5
d5caadd3a36bbd871cfe9e4ad81bbfe0
-
SHA1
8052be741045ed191cc7b36589b2dbec12bd96f0
-
SHA256
103f4cfa3888101d4645b6e1ea0ca647668598f58be628a797e1406d76359dd6
-
SHA512
2bcccffb9c2a58e7b13a0241841f67caca4d745057c12699fad85693f52cb60c1eb4b4e83611e1c1ff01d36300c5702eccb8dc12843fe6f1062f94db447b2003
-
SSDEEP
1536:Ed9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:8dseIOMEZEyFjEOFqTiQmQDHIbH
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2744 omsecor.exe 2900 omsecor.exe 2412 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
d5caadd3a36bbd871cfe9e4ad81bbfe0N.exeomsecor.exeomsecor.exepid process 2816 d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe 2816 d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe 2744 omsecor.exe 2744 omsecor.exe 2900 omsecor.exe 2900 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d5caadd3a36bbd871cfe9e4ad81bbfe0N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d5caadd3a36bbd871cfe9e4ad81bbfe0N.exeomsecor.exeomsecor.exedescription pid process target process PID 2816 wrote to memory of 2744 2816 d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe omsecor.exe PID 2816 wrote to memory of 2744 2816 d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe omsecor.exe PID 2816 wrote to memory of 2744 2816 d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe omsecor.exe PID 2816 wrote to memory of 2744 2816 d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe omsecor.exe PID 2744 wrote to memory of 2900 2744 omsecor.exe omsecor.exe PID 2744 wrote to memory of 2900 2744 omsecor.exe omsecor.exe PID 2744 wrote to memory of 2900 2744 omsecor.exe omsecor.exe PID 2744 wrote to memory of 2900 2744 omsecor.exe omsecor.exe PID 2900 wrote to memory of 2412 2900 omsecor.exe omsecor.exe PID 2900 wrote to memory of 2412 2900 omsecor.exe omsecor.exe PID 2900 wrote to memory of 2412 2900 omsecor.exe omsecor.exe PID 2900 wrote to memory of 2412 2900 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe"C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5e4723eda011bc544178aea66af7c90fa
SHA16936f353050f60ff313ecc554d1ce39fe211b70e
SHA2562cd0424869e50d2cd51ec291286e825fe5deb2f6654b57e94d0755224f0844bc
SHA51280cc0892ea7268f8d0f8738732a35042645a138ba003e167e47bf33bb167c91b9eca8aba41e161a22e6b778c12a467970f381debc09fd52334dcf0cccd7919bc
-
Filesize
71KB
MD51db297ad35dd61a0931fa4015fec1264
SHA12396d371da5776ab6823df870fb87c6bbfb08961
SHA256a5d249d01913b3ad6541f11c0a5f83d1ed3e9b856f2f2acd1ec0d8938ea3df49
SHA5124358ab2934ba720f835bfd99049c5ac915eda6b8c08209a8930a27388147d263fbe0b802377af06e49d12522dd5b1927a57500cda6ab800fc7bb660488fe2af6
-
Filesize
71KB
MD509bfb36775d4ccadb48274e78f5d1696
SHA18dc86dddb9da47de4e3bf9afaa1bcb791da2ae87
SHA256d5667f4f3c3a2b07c926a4d35aee8a07598589d09368a6245e60a235a698bf00
SHA512cc299178598276ae37eaf2f4f966407cec9a11680dc7bd79b5efbbbec196d5aa32a89096a9dce5fb189b0e7be9d5ddb8e6bcc75aa9a99794e1990b9221a1d7d9