Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 12:10
Behavioral task
behavioral1
Sample
b2efebdd3fa287b4b4af62798c8871d0N.exe
Resource
win7-20240708-en
General
-
Target
b2efebdd3fa287b4b4af62798c8871d0N.exe
-
Size
80KB
-
MD5
b2efebdd3fa287b4b4af62798c8871d0
-
SHA1
6be1af423364596d6c7ad5380a3469b4f35388c9
-
SHA256
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
-
SHA512
27fddec4f6eb2f1dbbc47fdedd96a26ee11e3ff5884931c05ddc2f6754989ad19ed0267c4192c01b64303346d9296c08adbda0d7b6bf0d7218313d713cfdd7bd
-
SSDEEP
768:cfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:cfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3024 omsecor.exe 1548 omsecor.exe 1076 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
b2efebdd3fa287b4b4af62798c8871d0N.exeomsecor.exeomsecor.exepid process 2956 b2efebdd3fa287b4b4af62798c8871d0N.exe 2956 b2efebdd3fa287b4b4af62798c8871d0N.exe 3024 omsecor.exe 3024 omsecor.exe 1548 omsecor.exe 1548 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exeomsecor.exeb2efebdd3fa287b4b4af62798c8871d0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2efebdd3fa287b4b4af62798c8871d0N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b2efebdd3fa287b4b4af62798c8871d0N.exeomsecor.exeomsecor.exedescription pid process target process PID 2956 wrote to memory of 3024 2956 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 2956 wrote to memory of 3024 2956 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 2956 wrote to memory of 3024 2956 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 2956 wrote to memory of 3024 2956 b2efebdd3fa287b4b4af62798c8871d0N.exe omsecor.exe PID 3024 wrote to memory of 1548 3024 omsecor.exe omsecor.exe PID 3024 wrote to memory of 1548 3024 omsecor.exe omsecor.exe PID 3024 wrote to memory of 1548 3024 omsecor.exe omsecor.exe PID 3024 wrote to memory of 1548 3024 omsecor.exe omsecor.exe PID 1548 wrote to memory of 1076 1548 omsecor.exe omsecor.exe PID 1548 wrote to memory of 1076 1548 omsecor.exe omsecor.exe PID 1548 wrote to memory of 1076 1548 omsecor.exe omsecor.exe PID 1548 wrote to memory of 1076 1548 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD573cf383a4b12cce57cb925cf0aeb13d9
SHA19a65ea5d1dbe859bfa5bc7bb6fc40be048453abf
SHA256a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33
SHA5125cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52
-
Filesize
80KB
MD520d9206acb8bdb73c5d438d82ea95d79
SHA1e22a0f2096419760d1419db15f0288010e3b6783
SHA256e30d36f0fb5b88096847bbf8b49db861b76555e9151f793b21596bf29f977414
SHA5121f628c24b561832763a87fe52b7cce11dc753a1f4c1f37fe5184be1762859d64d2fab041ff700ebfc88ed509b03694c0cef038bada630676dd1b98c3d2f2a905
-
Filesize
80KB
MD52bd71f2d530e51a7f5dc229bdf3cfbac
SHA1d55c0e311dce9fa27c2a95bff4ed571a8f63fccc
SHA25673f7b9d624ec7ac3292ff9a18ccf59c6a27ba2c803b57180eff0ec81989c4461
SHA512bc2fc956a0c0c2db14ec6d91a19d1451bee13b97cee485cbd53a51f887ccbe709d82ef7dbc3b880bdd7048ed748d3de2b79782a5131c59325e9ba6182dd81446