Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 00:10
Behavioral task
behavioral1
Sample
a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe
Resource
win7-20240729-en
General
-
Target
a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe
-
Size
92KB
-
MD5
6b9f893b651a4c9f9bce4860abcf5210
-
SHA1
2b40dee78eb457c2a6481d6eec8cfa621a7a2135
-
SHA256
a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f
-
SHA512
d96a0b5d8f9afb0c5af8b49fad2c97ce2f53f2f328d72932622e866a70b7b6f6af748978875c78689f5da1cdc1cc4b013884ec8a8765f2364d3c3ac4448c8247
-
SSDEEP
1536:zd9dseIOcEE3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIO/EZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2456 omsecor.exe 2968 omsecor.exe 2004 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exeomsecor.exeomsecor.exepid process 1368 a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe 1368 a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe 2456 omsecor.exe 2456 omsecor.exe 2968 omsecor.exe 2968 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exea61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exeomsecor.exeomsecor.exedescription pid process target process PID 1368 wrote to memory of 2456 1368 a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe omsecor.exe PID 1368 wrote to memory of 2456 1368 a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe omsecor.exe PID 1368 wrote to memory of 2456 1368 a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe omsecor.exe PID 1368 wrote to memory of 2456 1368 a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe omsecor.exe PID 2456 wrote to memory of 2968 2456 omsecor.exe omsecor.exe PID 2456 wrote to memory of 2968 2456 omsecor.exe omsecor.exe PID 2456 wrote to memory of 2968 2456 omsecor.exe omsecor.exe PID 2456 wrote to memory of 2968 2456 omsecor.exe omsecor.exe PID 2968 wrote to memory of 2004 2968 omsecor.exe omsecor.exe PID 2968 wrote to memory of 2004 2968 omsecor.exe omsecor.exe PID 2968 wrote to memory of 2004 2968 omsecor.exe omsecor.exe PID 2968 wrote to memory of 2004 2968 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe"C:\Users\Admin\AppData\Local\Temp\a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5fff7a8898ed69d53a1069422e07a8cf5
SHA1173e886d68080a89b678d83fc81dae27bf4eec2e
SHA256a34a8cb30dc6de3e649ca267af3ab484cf9dc417b71e037a27b88466a3d25c87
SHA5123cdcbbaa41b5e52de0c442bc933457d09285d55feb77878f3a5aaad69c1df94d79b9bdebe3ae6e78a15fca90c7337cdc0995bdd23abed3a65c47599e92ac8579
-
Filesize
92KB
MD55db3783567b304a426d3c053c2b8e7a6
SHA1ffb31258a1e1334b23b1fa2950bd0c25610e5141
SHA25676038503913d9aa94a4e24c6c330673e478b4f16969e8c2b73d4f210a4251610
SHA512d3417faddc2f2a0023615c34b4ebaea2ccfef582779eaa43b5ba7a58dfb1dbdbca24e26ae1288060cb79fd9aaaf75d877fdc5c26b6c4a500d8a4f407d5653b67
-
Filesize
92KB
MD50499f646604daf8cd8e9302731544c04
SHA1f262296a474890c1d246f92f8cd905b12df5c691
SHA25602da21bf563dd5fe7b762bf867d93425f2f690ab5026dbb6e0528a45dcadae00
SHA512676c1fb02034a510aa65921792a21d1099276194adf4287acfc338584c84a577684cf16ee9155d4b2c1d9d3133f5fdd6dc3444d32308ea05d069ee06a18aa014