Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 20:53
Behavioral task
behavioral1
Sample
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe
Resource
win7-20240729-en
General
-
Target
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe
-
Size
80KB
-
MD5
4dd4614d24ae8659e86123eb5976b937
-
SHA1
69b1ac1481239e46f594d152b16cb20765d8f4a7
-
SHA256
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78
-
SHA512
db6bb177edd1fac147ec82592a28c928518dca330115b6a30df3a542a25938bb97cbf03cf5f9b787f20a09758a5bc04eac790edf0ac62b447a9e1b06c8f6a22c
-
SSDEEP
768:KfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:KfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2564 omsecor.exe 2204 omsecor.exe 2816 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exeomsecor.exeomsecor.exepid process 2112 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe 2112 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe 2564 omsecor.exe 2564 omsecor.exe 2204 omsecor.exe 2204 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exe4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exeomsecor.exeomsecor.exedescription pid process target process PID 2112 wrote to memory of 2564 2112 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe omsecor.exe PID 2112 wrote to memory of 2564 2112 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe omsecor.exe PID 2112 wrote to memory of 2564 2112 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe omsecor.exe PID 2112 wrote to memory of 2564 2112 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe omsecor.exe PID 2564 wrote to memory of 2204 2564 omsecor.exe omsecor.exe PID 2564 wrote to memory of 2204 2564 omsecor.exe omsecor.exe PID 2564 wrote to memory of 2204 2564 omsecor.exe omsecor.exe PID 2564 wrote to memory of 2204 2564 omsecor.exe omsecor.exe PID 2204 wrote to memory of 2816 2204 omsecor.exe omsecor.exe PID 2204 wrote to memory of 2816 2204 omsecor.exe omsecor.exe PID 2204 wrote to memory of 2816 2204 omsecor.exe omsecor.exe PID 2204 wrote to memory of 2816 2204 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe"C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD53dfc86b2441840dc62ce2a529fd73aea
SHA194966d2741dafc71c66f8f39e625b927d273e28c
SHA2561b00585a46d14e683b1ff21d5659e2dce15e1e674bd9796d5483a7617fbc15ae
SHA51200cac720a7929b66a4a1bbd452f879d2ed174c981cbec7867a33fe173555463f625981985dd34b82a4e595ea3e71a8e9b2b9cab1635144c21b335e4baf47de20
-
Filesize
80KB
MD5e4b11e0a69a8642dd400a3a9a02567d8
SHA135b9921187c0b0fb0395494f2dd1734841a3c4e4
SHA25647ad84dbe82c4d194310c7f1e5a8fddf640be0b3e244ecc9de3c926e60ef8c1c
SHA512e9aec412aaeaa00be2b1305aa2fe816266f85557ecfe206f7c070b9af2804c37a298c12ef472506a8526221b9139e24b7f3fae9c31b5e199abe214db7c33ca4e
-
Filesize
80KB
MD5ca9f3f63b3b18002a09115c908386c45
SHA134032a24baea978acdaaa23dffba12b67d5a3867
SHA256af928bfb2ded61111523c319a3a3fdcf2646fc6931af73b7b5cc4e40d40cef4d
SHA512af1c343edbe93136608d06833d5e1ef8ccc6c5b17159468ee73cbb29e4d465b861468e5cb807f4a11856cf6b3c928f2e0bfb228daade9f276f5f771f1bbcf770