Analysis
-
max time kernel
115s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 12:31
Behavioral task
behavioral1
Sample
9ef5e0aff3983414d5fc6ee69674a8a0N.exe
Resource
win7-20240704-en
General
-
Target
9ef5e0aff3983414d5fc6ee69674a8a0N.exe
-
Size
35KB
-
MD5
9ef5e0aff3983414d5fc6ee69674a8a0
-
SHA1
37b0a2d701473457f5ab1e207169eb520b119060
-
SHA256
6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180
-
SHA512
c5ed45285648f7124fd32957610570874c3c8e6f48c4854cc7a61e7abb72dda4c191c0d5480bed0eb63da88932fde10d39b511dd779e1e857302623853f6c468
-
SSDEEP
768:Z6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:08Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2296 omsecor.exe 1224 omsecor.exe 1496 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
9ef5e0aff3983414d5fc6ee69674a8a0N.exeomsecor.exeomsecor.exepid process 1668 9ef5e0aff3983414d5fc6ee69674a8a0N.exe 1668 9ef5e0aff3983414d5fc6ee69674a8a0N.exe 2296 omsecor.exe 2296 omsecor.exe 1224 omsecor.exe 1224 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/1668-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1668-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1668-8-0x0000000000220000-0x000000000024D000-memory.dmp upx behavioral1/memory/2296-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2296-16-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2296-19-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2296-22-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2296-32-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2296-31-0x0000000002790000-0x00000000027BD000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1224-39-0x00000000002B0000-0x00000000002DD000-memory.dmp upx behavioral1/memory/1224-45-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1496-48-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9ef5e0aff3983414d5fc6ee69674a8a0N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ef5e0aff3983414d5fc6ee69674a8a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9ef5e0aff3983414d5fc6ee69674a8a0N.exeomsecor.exeomsecor.exedescription pid process target process PID 1668 wrote to memory of 2296 1668 9ef5e0aff3983414d5fc6ee69674a8a0N.exe omsecor.exe PID 1668 wrote to memory of 2296 1668 9ef5e0aff3983414d5fc6ee69674a8a0N.exe omsecor.exe PID 1668 wrote to memory of 2296 1668 9ef5e0aff3983414d5fc6ee69674a8a0N.exe omsecor.exe PID 1668 wrote to memory of 2296 1668 9ef5e0aff3983414d5fc6ee69674a8a0N.exe omsecor.exe PID 2296 wrote to memory of 1224 2296 omsecor.exe omsecor.exe PID 2296 wrote to memory of 1224 2296 omsecor.exe omsecor.exe PID 2296 wrote to memory of 1224 2296 omsecor.exe omsecor.exe PID 2296 wrote to memory of 1224 2296 omsecor.exe omsecor.exe PID 1224 wrote to memory of 1496 1224 omsecor.exe omsecor.exe PID 1224 wrote to memory of 1496 1224 omsecor.exe omsecor.exe PID 1224 wrote to memory of 1496 1224 omsecor.exe omsecor.exe PID 1224 wrote to memory of 1496 1224 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5a2b4a322bc57c590c56a4cd09ed4c4b4
SHA1af712caf7817eca258eac0742d8d19786f0d7a04
SHA256dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc
SHA5125049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd
-
Filesize
35KB
MD56aaac85118419c336e917702517f0ce1
SHA1b255835b05a874de37ad191d6c58cf942c652194
SHA256072604ec35625142fc1044a11cf68a0615b0c9b4f3ad19ab66475aa9c1f42f27
SHA5120beef2523d7fa1d74639fc26a10e8873f24b0ed40121702ad7adb6eb6d2dbbf41df329ba8239b61c82901fb01a8e56353e7bb8bba57ac86d1977e5d901f26172
-
Filesize
35KB
MD52d4005ae8a6f116161a2c1e0bd3b77e9
SHA16b7879433a22b6cf6b3fa4ad9a5083a92cf38129
SHA256d465db466806e9cb1ff1e6879482b29af4741bf514701f35e636a9afe10857aa
SHA512d32983bc8a17e1c27e054a6f2020b08d8dcdb151130ea271b55ae8c27fb777302238eef2025e2f1f55979758a8cf26166e1bd844cc6544b88c48c5c8763cb993