Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 12:05
Behavioral task
behavioral1
Sample
b2efebdd3fa287b4b4af62798c8871d0N.exe
Resource
win7-20240708-en
General
-
Target
b2efebdd3fa287b4b4af62798c8871d0N.exe
-
Size
80KB
-
MD5
b2efebdd3fa287b4b4af62798c8871d0
-
SHA1
6be1af423364596d6c7ad5380a3469b4f35388c9
-
SHA256
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
-
SHA512
27fddec4f6eb2f1dbbc47fdedd96a26ee11e3ff5884931c05ddc2f6754989ad19ed0267c4192c01b64303346d9296c08adbda0d7b6bf0d7218313d713cfdd7bd
-
SSDEEP
768:cfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:cfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2588 omsecor.exe 676 omsecor.exe 1836 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
b2efebdd3fa287b4b4af62798c8871d0N.exeomsecor.exeomsecor.exepid process 2556 b2efebdd3fa287b4b4af62798c8871d0N.exe 2556 b2efebdd3fa287b4b4af62798c8871d0N.exe 2588 omsecor.exe 2588 omsecor.exe 676 omsecor.exe 676 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b2efebdd3fa287b4b4af62798c8871d0N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2efebdd3fa287b4b4af62798c8871d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b2efebdd3fa287b4b4af62798c8871d0N.exeomsecor.exeomsecor.exedescription pid process target process PID 2556 wrote to memory of 2588 2556 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 2556 wrote to memory of 2588 2556 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 2556 wrote to memory of 2588 2556 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 2556 wrote to memory of 2588 2556 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 2588 wrote to memory of 676 2588 omsecor.exe omsecor.exe PID 2588 wrote to memory of 676 2588 omsecor.exe omsecor.exe PID 2588 wrote to memory of 676 2588 omsecor.exe omsecor.exe PID 2588 wrote to memory of 676 2588 omsecor.exe omsecor.exe PID 676 wrote to memory of 1836 676 omsecor.exe omsecor.exe PID 676 wrote to memory of 1836 676 omsecor.exe omsecor.exe PID 676 wrote to memory of 1836 676 omsecor.exe omsecor.exe PID 676 wrote to memory of 1836 676 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1836
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5246dedbbb989fa8e2fa746d32df0139b
SHA1dc1cbee75b07171b4f917d400cc691b614c3c687
SHA256ba8adef95d9734b766329d07c1f954fb2552eb3fe8e0a6472379b207976855d9
SHA512b9082147073496e087b1bcbcf5fc64782826bd955b421dbf4647151ddea7dd5602baa701f433772f378074912e91b81453c519bab55c7d968bfaae9329809b8e
-
Filesize
80KB
MD573cf383a4b12cce57cb925cf0aeb13d9
SHA19a65ea5d1dbe859bfa5bc7bb6fc40be048453abf
SHA256a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33
SHA5125cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52
-
Filesize
80KB
MD503fbbc7c6d20bdf13a61e3fcc29e1433
SHA1773f94446e8f7279f3cb6f8c3426ddf8e009956d
SHA256e605dcae6229436ef7ddf1371e6f664b788d790e2d38c4039ef9069738afefc0
SHA5128cd6a5aae97129ac32ef6a4e8bd46b4ecb3795f7d3050994ffbd347c81c2751a74bc2ca3096e2caebda6c82a0a6bc5e2e350ee93ebcf2d2307531bf3ad817965