Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 12:11
Behavioral task
behavioral1
Sample
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe
Resource
win7-20240705-en
General
-
Target
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe
-
Size
80KB
-
MD5
b2efebdd3fa287b4b4af62798c8871d0
-
SHA1
6be1af423364596d6c7ad5380a3469b4f35388c9
-
SHA256
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
-
SHA512
27fddec4f6eb2f1dbbc47fdedd96a26ee11e3ff5884931c05ddc2f6754989ad19ed0267c4192c01b64303346d9296c08adbda0d7b6bf0d7218313d713cfdd7bd
-
SSDEEP
768:cfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:cfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1280 omsecor.exe 1164 omsecor.exe 1672 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exeomsecor.exeomsecor.exepid process 2672 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe 2672 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe 1280 omsecor.exe 1280 omsecor.exe 1164 omsecor.exe 1164 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exeomsecor.exeomsecor.exedescription pid process target process PID 2672 wrote to memory of 1280 2672 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe omsecor.exe PID 2672 wrote to memory of 1280 2672 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe omsecor.exe PID 2672 wrote to memory of 1280 2672 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe omsecor.exe PID 2672 wrote to memory of 1280 2672 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe omsecor.exe PID 1280 wrote to memory of 1164 1280 omsecor.exe omsecor.exe PID 1280 wrote to memory of 1164 1280 omsecor.exe omsecor.exe PID 1280 wrote to memory of 1164 1280 omsecor.exe omsecor.exe PID 1280 wrote to memory of 1164 1280 omsecor.exe omsecor.exe PID 1164 wrote to memory of 1672 1164 omsecor.exe omsecor.exe PID 1164 wrote to memory of 1672 1164 omsecor.exe omsecor.exe PID 1164 wrote to memory of 1672 1164 omsecor.exe omsecor.exe PID 1164 wrote to memory of 1672 1164 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe"C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD573cf383a4b12cce57cb925cf0aeb13d9
SHA19a65ea5d1dbe859bfa5bc7bb6fc40be048453abf
SHA256a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33
SHA5125cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52
-
Filesize
80KB
MD5d2e40d53cfc4ba1e53af79357a9e2062
SHA18a68c9db55ae554d7847c9c9900b2459ddbf049d
SHA2566ed71c0acbd23364031d370d817db92df96e19b3e3a47600a6e5fb376214d625
SHA51244713e3e8b45049b141515ef4a037565b39374166895444caf113adf21f5decb955808ec6d75292c02b8a7f19e58ba8a5582ae8a9a00d0f9592fc2df0f14f1c2
-
Filesize
80KB
MD57c5a620d2a6158c69a1b9ad80579af17
SHA117e6c78343af5c471db0b64882f57545ffd4b7cf
SHA25631cae2da6106a8eb1e7ea565ac60647b7715bbdb669ad096b8a0774e7759442e
SHA5124c20c2c2e9a1ad083f46fdd53de645bc48bc5e195df9e926b5e75a5abe464ec306abe4071bdc648355385f855735c69f2ab178fc67c5d5ac08a2c988c0c79d41