Analysis
-
max time kernel
116s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 01:35
Behavioral task
behavioral1
Sample
3af4c90be05e1f0a645d05215d226870N.exe
Resource
win7-20240729-en
General
-
Target
3af4c90be05e1f0a645d05215d226870N.exe
-
Size
248KB
-
MD5
3af4c90be05e1f0a645d05215d226870
-
SHA1
a634bd6711a821dc357e8a4c3c75599e6aa132d6
-
SHA256
08e1f7a0db3395be8b5b2eea71f6614470012f945a7b24bb03b694808ce1b10d
-
SHA512
157729c055a434afe440ace48e1bf3962a70e80458162fa1ba7d54026e701738b4d759622b6728de9f530e0b84039c54347051ee44b0e9d4c47daa73d9ab23f5
-
SSDEEP
1536:M4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:MIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2348 omsecor.exe 3016 omsecor.exe 2708 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
3af4c90be05e1f0a645d05215d226870N.exeomsecor.exeomsecor.exepid process 2124 3af4c90be05e1f0a645d05215d226870N.exe 2124 3af4c90be05e1f0a645d05215d226870N.exe 2348 omsecor.exe 2348 omsecor.exe 3016 omsecor.exe 3016 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2124-0-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2348-10-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2124-8-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2348-12-0x0000000000400000-0x000000000043E000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2348-17-0x0000000000310000-0x000000000034E000-memory.dmp upx behavioral1/memory/2348-24-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2708-35-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/3016-33-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2708-37-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3af4c90be05e1f0a645d05215d226870N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3af4c90be05e1f0a645d05215d226870N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3af4c90be05e1f0a645d05215d226870N.exeomsecor.exeomsecor.exedescription pid process target process PID 2124 wrote to memory of 2348 2124 3af4c90be05e1f0a645d05215d226870N.exe omsecor.exe PID 2124 wrote to memory of 2348 2124 3af4c90be05e1f0a645d05215d226870N.exe omsecor.exe PID 2124 wrote to memory of 2348 2124 3af4c90be05e1f0a645d05215d226870N.exe omsecor.exe PID 2124 wrote to memory of 2348 2124 3af4c90be05e1f0a645d05215d226870N.exe omsecor.exe PID 2348 wrote to memory of 3016 2348 omsecor.exe omsecor.exe PID 2348 wrote to memory of 3016 2348 omsecor.exe omsecor.exe PID 2348 wrote to memory of 3016 2348 omsecor.exe omsecor.exe PID 2348 wrote to memory of 3016 2348 omsecor.exe omsecor.exe PID 3016 wrote to memory of 2708 3016 omsecor.exe omsecor.exe PID 3016 wrote to memory of 2708 3016 omsecor.exe omsecor.exe PID 3016 wrote to memory of 2708 3016 omsecor.exe omsecor.exe PID 3016 wrote to memory of 2708 3016 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe"C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD581e8fb10bfac735b839e186a8ed9a2fa
SHA1020a6c104be18704815e36a6d1b6a68136112e92
SHA256a329994d02727bd0de8cae4533c9ea1c789ee151cc6b570dd84b0b966780a896
SHA5126c4f05fd26231cc3b7faf0a317da41bc03a70fe81bb51a2f1db8450399fcde6881ebb62b41e828a1b50a08d557272803a695a358ae191bdea3a29fded58e1a20
-
Filesize
248KB
MD5bc2b620cc350e37692d39056ae6e83ca
SHA1444be35e0f6222e53cc8b78b72537834f6ed4437
SHA256a309a37d6ac6f197065b0f68102a413b8f97f76a3f1afaab0c2b56d016478e03
SHA512e03f9dfeb3d419dd5cc696948456efecf141b0f078b2e5966e31acc4ae2e3e6467b39891e2226269ef2b10534f1d334bdb947c0af551b4042968c41822fa0dc8
-
Filesize
248KB
MD5c66e3dfb27367b80d4ff9e679f1e2a0f
SHA172e448b83f063dfe227263889ab6da63b02d0aff
SHA256989bdc4c3430752b92f969997ac9d4ab3fbd0aeb98b129719e053f59bd6f0650
SHA5120306c5d97a8a12dfd2b15f90c830f9d9f8c64a5ba62bbf051d99e9b150cfd3f0447223b7dcf4a977be2572126a7446e0fafd170d0146f5f6b28223a0913f7cd7