Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 02:17
Behavioral task
behavioral1
Sample
dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe
Resource
win7-20240704-en
General
-
Target
dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe
-
Size
71KB
-
MD5
0ce26c0d33ed0cfda9209db722889845
-
SHA1
52cfa7af81c0b3743f90cc06e9acd9c7d7ed1ed9
-
SHA256
dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd
-
SHA512
875dd901f18a2e48368d67b360b42c94c9db651c91c777abcb850861bffdd1f24674308f8433dcd4619cccae5e09b39e9fe69402a93c3aed93de2c4c64af5a8b
-
SSDEEP
1536:6d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:adseIOMEZEyFjEOFqTiQmQDHIbH
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2972 omsecor.exe 2512 omsecor.exe 2360 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exeomsecor.exeomsecor.exepid process 2388 dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe 2388 dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe 2972 omsecor.exe 2972 omsecor.exe 2512 omsecor.exe 2512 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exedc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exeomsecor.exeomsecor.exedescription pid process target process PID 2388 wrote to memory of 2972 2388 dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe omsecor.exe PID 2388 wrote to memory of 2972 2388 dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe omsecor.exe PID 2388 wrote to memory of 2972 2388 dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe omsecor.exe PID 2388 wrote to memory of 2972 2388 dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe omsecor.exe PID 2972 wrote to memory of 2512 2972 omsecor.exe omsecor.exe PID 2972 wrote to memory of 2512 2972 omsecor.exe omsecor.exe PID 2972 wrote to memory of 2512 2972 omsecor.exe omsecor.exe PID 2972 wrote to memory of 2512 2972 omsecor.exe omsecor.exe PID 2512 wrote to memory of 2360 2512 omsecor.exe omsecor.exe PID 2512 wrote to memory of 2360 2512 omsecor.exe omsecor.exe PID 2512 wrote to memory of 2360 2512 omsecor.exe omsecor.exe PID 2512 wrote to memory of 2360 2512 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe"C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD51e82166cdb3bb51e8964be7b5a9ecb08
SHA1cd78f196cdcd818dd456ce91817b7d8735bf9846
SHA256d1b58bd52e3ed9b58e0243ca3d42487f91635493b7a6e430244931b129b18ea4
SHA512532f928ee4cce9f9c5642c83aeaaae7ecf47c72a410be9ac0e00bc9948771e73a37d7f8b5f0026a1c01999724063a4ecfb54ef16714fa770db1904ce46fcffa5
-
Filesize
71KB
MD58d4e6b576d64abefa4280c3a02643b36
SHA197f35d9191d73b4840747531ae9e492a380c63a8
SHA256593ea7db3aef576a9a821416966c60504c9a9b278d1e83306d15ed591e34601f
SHA5125a272d2f5a5551b86367b6910faa637fcfb52b193b8884cd92728d8741a2c430deeedb35f3d4a75db2821ce9b291fd1aa4b40867cdbb1e8dd47aa296f63776ea
-
Filesize
71KB
MD533b7445acad3ee64ff2ccbeb0ef446fa
SHA165dbba5219f0304b9f722e46b67a6a6df47a4d0c
SHA256e4fb710ff7768d3e9b0b72685e24d22ddf6a649137b51dcc4065b12af8dbf987
SHA51249c30f76c3ccec6e4297bfc77939005b1628837954a86991a029bb1128e12bb4abc380130572c582b0ff0f4cdaf42bc68edc7181adf39c7224c674419ec6333a