Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 14:57
Behavioral task
behavioral1
Sample
75e4864ae7901aef12051eef9c215110N.exe
Resource
win7-20240708-en
General
-
Target
75e4864ae7901aef12051eef9c215110N.exe
-
Size
35KB
-
MD5
75e4864ae7901aef12051eef9c215110
-
SHA1
49be1c214e11af091e3a01d41c873609bfb3e5d0
-
SHA256
97b5ab3137ee3b3bf7b8c840ec89487951e4ebb86454a7aabd0605f301e322d1
-
SHA512
3544c94d593d61b7f87b4abde5f3cbadc54bf27a68acb88e509ed2829ca1a982fbf0afd7e76a8751c972fdf7a3b9e9ce7a0387e4bc1faf9cbc4e2f262f520a29
-
SSDEEP
768:+6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:F8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1868 omsecor.exe 2616 omsecor.exe 2940 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
75e4864ae7901aef12051eef9c215110N.exeomsecor.exeomsecor.exepid process 2640 75e4864ae7901aef12051eef9c215110N.exe 2640 75e4864ae7901aef12051eef9c215110N.exe 1868 omsecor.exe 1868 omsecor.exe 2616 omsecor.exe 2616 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2640-0-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1868-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2640-9-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1868-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1868-17-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1868-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1868-23-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1868-26-0x0000000000370000-0x000000000039D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/1868-33-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2616-40-0x0000000000250000-0x000000000027D000-memory.dmp upx behavioral1/memory/2616-46-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2940-49-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
75e4864ae7901aef12051eef9c215110N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75e4864ae7901aef12051eef9c215110N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
75e4864ae7901aef12051eef9c215110N.exeomsecor.exeomsecor.exedescription pid process target process PID 2640 wrote to memory of 1868 2640 75e4864ae7901aef12051eef9c215110N.exe omsecor.exe PID 2640 wrote to memory of 1868 2640 75e4864ae7901aef12051eef9c215110N.exe omsecor.exe PID 2640 wrote to memory of 1868 2640 75e4864ae7901aef12051eef9c215110N.exe omsecor.exe PID 2640 wrote to memory of 1868 2640 75e4864ae7901aef12051eef9c215110N.exe omsecor.exe PID 1868 wrote to memory of 2616 1868 omsecor.exe omsecor.exe PID 1868 wrote to memory of 2616 1868 omsecor.exe omsecor.exe PID 1868 wrote to memory of 2616 1868 omsecor.exe omsecor.exe PID 1868 wrote to memory of 2616 1868 omsecor.exe omsecor.exe PID 2616 wrote to memory of 2940 2616 omsecor.exe omsecor.exe PID 2616 wrote to memory of 2940 2616 omsecor.exe omsecor.exe PID 2616 wrote to memory of 2940 2616 omsecor.exe omsecor.exe PID 2616 wrote to memory of 2940 2616 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe"C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD537aef8f01a21c76d9e1c8e94301546e1
SHA13bc87649523b566db45c70204af96c74835f5cba
SHA256786391c7554efc02ee5bbed85bea14f6169fa649c6caa00e1457fae4ca010e95
SHA512462b9c89f45e97cda7c19b329084f663740a3d8a2afd3cacf2424eaba986accc9a560ea5b5f0c1bbac1cbacbc04de5faaed3a923cb871dd8cb021a0306f73660
-
Filesize
35KB
MD5dace5c7936c67d52267a2da8a90fb18d
SHA1c36e1ae6a38169bdbf8f34f9500cfd2ea45cf1cd
SHA25684313a73921ea31fd0f27f322a60e7c961a776a62c8e241a4c7b697655e3e801
SHA5121ce8b02454cde8dfc4abd6fe3a52367a60f6abee5cb2e6be8ece818c28a0529a83620a9209b2f415571ec75ce248be0d081555aee3b43b6579fb32f5a4523f55
-
Filesize
35KB
MD5b83a477276a2f3ef244838c4a0df25f9
SHA1a331eecc78300bd678b9fbaa72b38d851fb7cd2a
SHA2567e4f4d30c979bfeca3c2713f38ea6c88fb0e7e06d68e54f939932b06faea5cea
SHA512864b909f875c4ec68ebb270f165dd9f084486ef10f00945aff037c495862da9ed5fe872191f3b55079232d4db6d6f9a139022e7c5829ad73297dbf155cb9ea09