Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 21:26
Behavioral task
behavioral1
Sample
08f7af31a6ca42eded90eab08318e890N.exe
Resource
win7-20240704-en
General
-
Target
08f7af31a6ca42eded90eab08318e890N.exe
-
Size
248KB
-
MD5
08f7af31a6ca42eded90eab08318e890
-
SHA1
233a5e1e7df87a281ee98bfdca8f90f449e71eff
-
SHA256
0b617e1490512f32019e189fab1218f24ff7a80f966a7b74e2cb5c947bb62cec
-
SHA512
f04bb77f86d733005cad0310c7962d5093a06aa6072d3197331ee71489ba384b5cc9f8159d91951f736ec0f1aecdc537806c6b3684c3eacf450a6a7bb8b12f94
-
SSDEEP
1536:04d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:0IdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2956 omsecor.exe 2776 omsecor.exe 1444 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
08f7af31a6ca42eded90eab08318e890N.exeomsecor.exeomsecor.exepid process 2192 08f7af31a6ca42eded90eab08318e890N.exe 2192 08f7af31a6ca42eded90eab08318e890N.exe 2956 omsecor.exe 2956 omsecor.exe 2776 omsecor.exe 2776 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2192-0-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2956-12-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2192-9-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2192-4-0x0000000000220000-0x000000000025E000-memory.dmp upx behavioral1/memory/2956-13-0x0000000000400000-0x000000000043E000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2956-19-0x00000000002A0000-0x00000000002DE000-memory.dmp upx behavioral1/memory/2956-24-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2776-34-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1444-36-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1444-39-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exe08f7af31a6ca42eded90eab08318e890N.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08f7af31a6ca42eded90eab08318e890N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08f7af31a6ca42eded90eab08318e890N.exeomsecor.exeomsecor.exedescription pid process target process PID 2192 wrote to memory of 2956 2192 08f7af31a6ca42eded90eab08318e890N.exe omsecor.exe PID 2192 wrote to memory of 2956 2192 08f7af31a6ca42eded90eab08318e890N.exe omsecor.exe PID 2192 wrote to memory of 2956 2192 08f7af31a6ca42eded90eab08318e890N.exe omsecor.exe PID 2192 wrote to memory of 2956 2192 08f7af31a6ca42eded90eab08318e890N.exe omsecor.exe PID 2956 wrote to memory of 2776 2956 omsecor.exe omsecor.exe PID 2956 wrote to memory of 2776 2956 omsecor.exe omsecor.exe PID 2956 wrote to memory of 2776 2956 omsecor.exe omsecor.exe PID 2956 wrote to memory of 2776 2956 omsecor.exe omsecor.exe PID 2776 wrote to memory of 1444 2776 omsecor.exe omsecor.exe PID 2776 wrote to memory of 1444 2776 omsecor.exe omsecor.exe PID 2776 wrote to memory of 1444 2776 omsecor.exe omsecor.exe PID 2776 wrote to memory of 1444 2776 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe"C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1444
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD52ce6b264eec58ad040f9e544298cf1d3
SHA1b245acfc3858242b4a0f27a0da969cb77d42b1ec
SHA25610f50d48c9656c6a13fec386f82fd69f2e316275d0119a2af381ade08bf34082
SHA512eb1b94fe24d834c323bebd9723e0e2884cb1d72ca8744d433b355f1eccce2144c5dd84897f99932ea6427dd14d08607c5cc4110aa7bf3f12b9806eca89b10a52
-
Filesize
248KB
MD58da42f22b567b9dfc42ffbe527ad0cea
SHA1cfa6a70ac55f14ba710fbaab7fb1b5801dba259f
SHA2562e6c3c59066818c82bed1d5f0bfd7e65c6fe34be9a4858c558e8e9ffc38d294a
SHA512d446db2a8a085092be3be501c8a6abd37b3ee13c2ddd9cfbe19895d554d3d15df7391e14ae2c967dc14d87709e75105135c21bf84cd930f3cfb731913eb701ee
-
Filesize
248KB
MD5de151d2fb3a5b32472bd9ddc784dd5a1
SHA1bed906fdf3c900b9600eedf5d4d15680f12ad86e
SHA256d966b851b5eead6b75482cf02460d71c79e5f5d6e6046e01e4028179a8af0814
SHA51262c67fda8250d001dea5d6b08d6170048f87681faf926518e7ecee352c3a7b1bda9288f9f3d1a07b88283f2d427d928df9f6f97b48ae984f3657245f66afa7c9