Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 11:23
Behavioral task
behavioral1
Sample
5dc708aa69cee869ebaf67ff489d1780N.exe
Resource
win7-20240708-en
General
-
Target
5dc708aa69cee869ebaf67ff489d1780N.exe
-
Size
248KB
-
MD5
5dc708aa69cee869ebaf67ff489d1780
-
SHA1
e4804f8293be1d18b2943664aa01c70235fb2e06
-
SHA256
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370
-
SHA512
d9e4cbbc51812dcb695d450930b76f727f4c45cb0d80b1563ad48c5beb40586c4f1f608d2b561f598b777106cf1e472b3826d1a6750faf1dd3f3908321dd00dd
-
SSDEEP
1536:k4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:kIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 2432 omsecor.exe 2224 omsecor.exe -
Loads dropped DLL 4 IoCs
Processes:
5dc708aa69cee869ebaf67ff489d1780N.exeomsecor.exepid process 2164 5dc708aa69cee869ebaf67ff489d1780N.exe 2164 5dc708aa69cee869ebaf67ff489d1780N.exe 2432 omsecor.exe 2432 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2164-1-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2432-9-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2432-11-0x0000000000400000-0x000000000043E000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2432-16-0x0000000000380000-0x00000000003BE000-memory.dmp upx behavioral1/memory/2432-23-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2224-25-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5dc708aa69cee869ebaf67ff489d1780N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dc708aa69cee869ebaf67ff489d1780N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5dc708aa69cee869ebaf67ff489d1780N.exeomsecor.exedescription pid process target process PID 2164 wrote to memory of 2432 2164 5dc708aa69cee869ebaf67ff489d1780N.exe omsecor.exe PID 2164 wrote to memory of 2432 2164 5dc708aa69cee869ebaf67ff489d1780N.exe omsecor.exe PID 2164 wrote to memory of 2432 2164 5dc708aa69cee869ebaf67ff489d1780N.exe omsecor.exe PID 2164 wrote to memory of 2432 2164 5dc708aa69cee869ebaf67ff489d1780N.exe omsecor.exe PID 2432 wrote to memory of 2224 2432 omsecor.exe omsecor.exe PID 2432 wrote to memory of 2224 2432 omsecor.exe omsecor.exe PID 2432 wrote to memory of 2224 2432 omsecor.exe omsecor.exe PID 2432 wrote to memory of 2224 2432 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe"C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2224
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD569831108eb6b444b612974498367891a
SHA1241538951c7d8a3f395beb07cf3592e3166fffad
SHA256a717da0318c9f9f61435ddde394ac56149a601755a5b3bc8a2711a8439ab25f7
SHA512d702ff06b6ff4254fae92a0ef31b49684368ea56f30b7f1c4e6a0cf5310f21340a653f11d574ca1aef50d7220c50c0eaba49663bb49101706e8b4b61ce9c9edc
-
Filesize
248KB
MD59884a1654900cbe5238d434659da9409
SHA1d8059bfdcef1f1d9adb2bb1cdf8a51127a1caa3d
SHA25669d97defdfa517351a3dafcf3c10698cee6651bd0c60b2db332b2c0cb27a2e11
SHA51237e0e95822790e01edda30410555f6767acccf27892601338d3402fb28f83103287f09a7d546d688788cef6ef45ccadd2863566ddae5608bcd21d34139b821ba