Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 18:16
Behavioral task
behavioral1
Sample
027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe
Resource
win7-20240729-en
General
-
Target
027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe
-
Size
61KB
-
MD5
cafacaafe8816f3b680c1679f1a953aa
-
SHA1
39cb8f8477fa82e4892177512919fc19d12f6dcf
-
SHA256
027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0
-
SHA512
f7d389641dd626df546ce2962090598be7849fe3c28c8522d2c133231c11a2bbd18b1fc674892066672e001ea9fb745e7301232ca8ef0d6cea89671fe71345b6
-
SSDEEP
768:8MEIvFGvZEr8LFK0ic46N47eSdYAHwmZ7Bp6JXXlaa5uA:8bIvYvZEyFKF6N4yS+AQmZIl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1728 omsecor.exe 1900 omsecor.exe 2148 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exeomsecor.exeomsecor.exepid process 408 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe 408 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe 1728 omsecor.exe 1728 omsecor.exe 1900 omsecor.exe 1900 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exe027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exeomsecor.exeomsecor.exedescription pid process target process PID 408 wrote to memory of 1728 408 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe omsecor.exe PID 408 wrote to memory of 1728 408 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe omsecor.exe PID 408 wrote to memory of 1728 408 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe omsecor.exe PID 408 wrote to memory of 1728 408 027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe omsecor.exe PID 1728 wrote to memory of 1900 1728 omsecor.exe omsecor.exe PID 1728 wrote to memory of 1900 1728 omsecor.exe omsecor.exe PID 1728 wrote to memory of 1900 1728 omsecor.exe omsecor.exe PID 1728 wrote to memory of 1900 1728 omsecor.exe omsecor.exe PID 1900 wrote to memory of 2148 1900 omsecor.exe omsecor.exe PID 1900 wrote to memory of 2148 1900 omsecor.exe omsecor.exe PID 1900 wrote to memory of 2148 1900 omsecor.exe omsecor.exe PID 1900 wrote to memory of 2148 1900 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe"C:\Users\Admin\AppData\Local\Temp\027b355ff9b7a02c415e2fd6ef55a2c07ba97fb543e9848b44fbf5dff8b5dfc0.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD52ccdfbde0854295311e04da7faae2278
SHA1798bdc2f05da5807900a4517559aa3cbf5ef47c4
SHA2567b7ad20320a4a09461541d1d666a67e5c20f7c083e53f86ca6b9fac7d5bcdd72
SHA51243a9fd37c376f5d21490e2ba29dffc43296e940857e6cac629ecf971bb8a429c87d944b372dedc8f9e9c320aa23da831d7f12378e3cc6eef510eaf65cfa6a7fc
-
Filesize
61KB
MD5630e76076618ed6d53016a3d4d1bba9e
SHA1b7fc3d244f094ed28df1377a31dc2bfd61549b3c
SHA256debfd4c8fab8a4ea2e5b70b992d7d647e0b20abf8b1f57b183baddb99e1dc544
SHA5128d0c4ad528fe6077625470606df3a7793a9bece7df0d2c1e032805c9e2a2b20ba62663c4cf91a6f84191816322a2e508b157eb4be295b23ed1798363b0801100
-
Filesize
61KB
MD592b4e7b917ea9e714c4375d35179501d
SHA1df4a2685da4e3bf2936472f649909febdd042238
SHA256bd6c19f5ff52ddba237c164e678c25c33cc2c8d3339c89fcfd2aa5e5c7bfe796
SHA5120529932980a4ba9b087e97ff700567e0614da905d341b25d91f4396e2442a81f715d76dde78af63d5c9882c81f27300637bfbab0822428fced86d906b1466ff1