Analysis
-
max time kernel
115s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 17:01
Behavioral task
behavioral1
Sample
75693cfba81fb00326ba9e4d1ade79e0N.exe
Resource
win7-20240704-en
General
-
Target
75693cfba81fb00326ba9e4d1ade79e0N.exe
-
Size
35KB
-
MD5
75693cfba81fb00326ba9e4d1ade79e0
-
SHA1
eebc6f1aa980f6dfbbe70eb73dd78d320cc1ff8e
-
SHA256
47564772d274b0a650c18597b11ab9af811917ff3af9b86f3f640a9634cfa824
-
SHA512
3283c6271e4cf53697630dc64ef7df4f3bd21e6b9cf728376a67deedf42d93f7444622ca3a616e209f73ee4122fb5322fd6b31046e296f92dec03525cdf80a5c
-
SSDEEP
768:e6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:l8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2404 omsecor.exe 2068 omsecor.exe 1732 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
75693cfba81fb00326ba9e4d1ade79e0N.exeomsecor.exeomsecor.exepid process 1656 75693cfba81fb00326ba9e4d1ade79e0N.exe 1656 75693cfba81fb00326ba9e4d1ade79e0N.exe 2404 omsecor.exe 2404 omsecor.exe 2068 omsecor.exe 2068 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/1656-0-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1656-10-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2404-14-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1656-8-0x0000000000220000-0x000000000024D000-memory.dmp upx behavioral1/memory/2404-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2404-18-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2404-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2404-24-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2404-33-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2068-37-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2068-40-0x0000000000220000-0x000000000024D000-memory.dmp upx behavioral1/memory/1732-48-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exe75693cfba81fb00326ba9e4d1ade79e0N.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75693cfba81fb00326ba9e4d1ade79e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
75693cfba81fb00326ba9e4d1ade79e0N.exeomsecor.exeomsecor.exedescription pid process target process PID 1656 wrote to memory of 2404 1656 75693cfba81fb00326ba9e4d1ade79e0N.exe omsecor.exe PID 1656 wrote to memory of 2404 1656 75693cfba81fb00326ba9e4d1ade79e0N.exe omsecor.exe PID 1656 wrote to memory of 2404 1656 75693cfba81fb00326ba9e4d1ade79e0N.exe omsecor.exe PID 1656 wrote to memory of 2404 1656 75693cfba81fb00326ba9e4d1ade79e0N.exe omsecor.exe PID 2404 wrote to memory of 2068 2404 omsecor.exe omsecor.exe PID 2404 wrote to memory of 2068 2404 omsecor.exe omsecor.exe PID 2404 wrote to memory of 2068 2404 omsecor.exe omsecor.exe PID 2404 wrote to memory of 2068 2404 omsecor.exe omsecor.exe PID 2068 wrote to memory of 1732 2068 omsecor.exe omsecor.exe PID 2068 wrote to memory of 1732 2068 omsecor.exe omsecor.exe PID 2068 wrote to memory of 1732 2068 omsecor.exe omsecor.exe PID 2068 wrote to memory of 1732 2068 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75693cfba81fb00326ba9e4d1ade79e0N.exe"C:\Users\Admin\AppData\Local\Temp\75693cfba81fb00326ba9e4d1ade79e0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5d8b05a2fc34178500f212de7ccc7c5c4
SHA1c4fc00c3c988580818ea4293cf70c26ff23c0315
SHA256bfe92586e89954ef6284bbad83c593be48f954b2bd63578efdb3f85401986f2e
SHA512d5bd59dd562c5fa862237b132cf78e0b40ce45513489065f1fe9b6738959cb0bfb168bcf0699075cfa4822b080a697915c05a13f1f88b01bd6d3a79a42e2124a
-
Filesize
35KB
MD538d2a6c0a3facffb0591e2a899406dd5
SHA12c66febd631542ab17057a34f6ac0efedf977a70
SHA2566b3704eb6920807522c313bd4ae8d20f91fa4b4ffec64fc577e84089bb98b801
SHA51279e5d487130bfa8be108de407cda5c763c28dd48ea1169d1f3f1887ef50b098a13dcaa393d385cda6df1794d92e131ecbd628cccc5933f21da39ea12455da9c1
-
Filesize
35KB
MD5795fe64e3cc08f5a80f127e4b33caf87
SHA13c07b8c369ccff29bc8a6e6fa92d250c6128f574
SHA256b2fb19f5fa609829d6e21fa32970e9e2f2b3d72637b67b649e4a1ff36c7685f2
SHA512bd1faa5a1d3cf90df383e807ca56f9cc50030216df99d9ca04d9c044fbfd696e2b94ae6e069f655ffaa39796e52a2748696f3dfa2ccfb0bf2f5a91bfba6635f5