Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 11:29
Behavioral task
behavioral1
Sample
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe
Resource
win7-20240704-en
General
-
Target
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe
-
Size
248KB
-
MD5
5dc708aa69cee869ebaf67ff489d1780
-
SHA1
e4804f8293be1d18b2943664aa01c70235fb2e06
-
SHA256
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370
-
SHA512
d9e4cbbc51812dcb695d450930b76f727f4c45cb0d80b1563ad48c5beb40586c4f1f608d2b561f598b777106cf1e472b3826d1a6750faf1dd3f3908321dd00dd
-
SSDEEP
1536:k4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:kIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2600 omsecor.exe 2784 omsecor.exe 980 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exeomsecor.exeomsecor.exepid process 2192 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe 2192 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe 2600 omsecor.exe 2600 omsecor.exe 2784 omsecor.exe 2784 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2192-1-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2600-9-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2600-11-0x0000000000400000-0x000000000043E000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2600-17-0x0000000000480000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2784-24-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2600-25-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2784-34-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/980-36-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/980-38-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exeomsecor.exeomsecor.exedescription pid process target process PID 2192 wrote to memory of 2600 2192 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe omsecor.exe PID 2192 wrote to memory of 2600 2192 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe omsecor.exe PID 2192 wrote to memory of 2600 2192 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe omsecor.exe PID 2192 wrote to memory of 2600 2192 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe omsecor.exe PID 2600 wrote to memory of 2784 2600 omsecor.exe omsecor.exe PID 2600 wrote to memory of 2784 2600 omsecor.exe omsecor.exe PID 2600 wrote to memory of 2784 2600 omsecor.exe omsecor.exe PID 2600 wrote to memory of 2784 2600 omsecor.exe omsecor.exe PID 2784 wrote to memory of 980 2784 omsecor.exe omsecor.exe PID 2784 wrote to memory of 980 2784 omsecor.exe omsecor.exe PID 2784 wrote to memory of 980 2784 omsecor.exe omsecor.exe PID 2784 wrote to memory of 980 2784 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe"C:\Users\Admin\AppData\Local\Temp\8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:980
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD569831108eb6b444b612974498367891a
SHA1241538951c7d8a3f395beb07cf3592e3166fffad
SHA256a717da0318c9f9f61435ddde394ac56149a601755a5b3bc8a2711a8439ab25f7
SHA512d702ff06b6ff4254fae92a0ef31b49684368ea56f30b7f1c4e6a0cf5310f21340a653f11d574ca1aef50d7220c50c0eaba49663bb49101706e8b4b61ce9c9edc
-
Filesize
248KB
MD5778677b3dc5f809c1af8e1657ec7bee1
SHA145abb867b862bcff995340090f0ef46702a124a0
SHA25620597818389aeb4c118a62c0832dcf16b0c5ee3af31860230c7990b1d258b55a
SHA512ab2c1d60e80a150b3e6f65b924d63f15c839374fdb6bd7571e2416239a025acd842e6eaf861a090c9bca4a365a4a467c5dc981f54a95bb321e60c15c205fa151
-
Filesize
248KB
MD578ac544f20ec35f7841027cfce795ec4
SHA1e8b23db010b3705d99cbcfbf3537fa76dbfe755f
SHA2563abebd47b92b7a636605ae8c1d97fff8575429bcfdde21d65b653c1ea8842ef5
SHA512c7d3c3c7bb8d4add1782c5d167b82af27af1ba59c1e6603e75496536ab085ac0d7004468132e2111c54230e024bb6f9b67f9f38e8a2b694b5fede6dff7186536