Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 13:53
Behavioral task
behavioral1
Sample
2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe
Resource
win7-20240729-en
General
-
Target
2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe
-
Size
248KB
-
MD5
2610bcf86b11c2f8aea5d2d8a0b9a5e0
-
SHA1
49e7a04c63486faa128ce9f521cccd657292f24b
-
SHA256
3cd00bd31b753d832e83b5c7d1f7fca948706dd01144621a4a019322910e47c5
-
SHA512
08af2402e91ea77fc3b0f7d23d44bc6cd695a3a0c48e7222c278e59e9d7e8cbcb84edbebfdca1e1111c48a32c4d0bbe5c3347c1d51828dac7228cc819d502cb0
-
SSDEEP
1536:j4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:jIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2540 omsecor.exe 2652 omsecor.exe 2532 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exeomsecor.exeomsecor.exepid process 2180 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe 2180 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe 2540 omsecor.exe 2540 omsecor.exe 2652 omsecor.exe 2652 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2180-0-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2180-10-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2180-5-0x0000000000230000-0x000000000026E000-memory.dmp upx behavioral1/memory/2540-13-0x0000000000400000-0x000000000043E000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2540-18-0x0000000000280000-0x00000000002BE000-memory.dmp upx behavioral1/memory/2540-24-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2652-30-0x0000000000220000-0x000000000025E000-memory.dmp upx behavioral1/memory/2652-36-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2532-39-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exe2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exeomsecor.exeomsecor.exedescription pid process target process PID 2180 wrote to memory of 2540 2180 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe omsecor.exe PID 2180 wrote to memory of 2540 2180 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe omsecor.exe PID 2180 wrote to memory of 2540 2180 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe omsecor.exe PID 2180 wrote to memory of 2540 2180 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe omsecor.exe PID 2540 wrote to memory of 2652 2540 omsecor.exe omsecor.exe PID 2540 wrote to memory of 2652 2540 omsecor.exe omsecor.exe PID 2540 wrote to memory of 2652 2540 omsecor.exe omsecor.exe PID 2540 wrote to memory of 2652 2540 omsecor.exe omsecor.exe PID 2652 wrote to memory of 2532 2652 omsecor.exe omsecor.exe PID 2652 wrote to memory of 2532 2652 omsecor.exe omsecor.exe PID 2652 wrote to memory of 2532 2652 omsecor.exe omsecor.exe PID 2652 wrote to memory of 2532 2652 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe"C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD501507f9c34d2bcb425195c22b6709616
SHA179e5a722456fb50da995b42d6a7a92f681b8bbe1
SHA256be50fac53ce2a545c5eab79e842b66b84b6eb38b642aa73e25c263241a294370
SHA5129dd74aa2b561249219c9c9f84f9aaef233ee847d718dc97174fc5ff9ad5012cf2c061750a489670bb30de38706803e0f3fdcdb2bedcb98ec5d588b6101498cdd
-
Filesize
248KB
MD5fd414f9bfa30ff075d420b951e769aa9
SHA161e3f7ebfac06b51ccdb7293ee73a64591375199
SHA2569e2ad5ee5014a34333a60d28ca69ab3ec78e89499e6a39494542c65adaa91934
SHA51220fddf2effc6a9b37a77b8185aed94989e3869f21260165aaa027f694b126047704cf06db1738f6eeb8485f3f0b5a46ed8a93c01d25575c77e16bc32652a333e
-
Filesize
248KB
MD5b3c5a5ec068b86768c5e7e6065e84067
SHA178b6058021333064e9f5779644e634c716f160a5
SHA2568e799452a393cb492a1f595f6b6f6e21141a059db9a437a574726c6a6917eb5d
SHA5124526cee620ebb52c5e32bdf32711a0d1d59b644e730f9c81f8ca85e4a82e6e1ca38f036a62955c2b4bc07729e540ca7cdc568866661077a80b1bfe9ecb39bd23