Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 06:35
Behavioral task
behavioral1
Sample
56273b3463f33f24297a72d47b2cd370N.exe
Resource
win7-20240704-en
General
-
Target
56273b3463f33f24297a72d47b2cd370N.exe
-
Size
35KB
-
MD5
56273b3463f33f24297a72d47b2cd370
-
SHA1
86bfd5cd55fd3ab790e5f24f11f380288b7294d2
-
SHA256
7c703e5bb2539d52b2a22c4bfd09667d25747c916b17e45a64f9a788da8f11c5
-
SHA512
14ea8a4ab0c68ade1ee31fdf354288d3a533e12d8e2366a341de6d7e0d863589a54fc6b8c4180a293c3d977cae433e2b3835bb8f3c270e9d09e703772fe96348
-
SSDEEP
768:A6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:X8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1936 omsecor.exe 3036 omsecor.exe 2976 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
56273b3463f33f24297a72d47b2cd370N.exeomsecor.exeomsecor.exepid process 2520 56273b3463f33f24297a72d47b2cd370N.exe 2520 56273b3463f33f24297a72d47b2cd370N.exe 1936 omsecor.exe 1936 omsecor.exe 3036 omsecor.exe 3036 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2520-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1936-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2520-12-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1936-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1936-18-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1936-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1936-24-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/1936-33-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3036-36-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/3036-41-0x00000000001B0000-0x00000000001DD000-memory.dmp upx behavioral1/memory/2976-50-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3036-47-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2976-52-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
56273b3463f33f24297a72d47b2cd370N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56273b3463f33f24297a72d47b2cd370N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
56273b3463f33f24297a72d47b2cd370N.exeomsecor.exeomsecor.exedescription pid process target process PID 2520 wrote to memory of 1936 2520 56273b3463f33f24297a72d47b2cd370N.exe omsecor.exe PID 2520 wrote to memory of 1936 2520 56273b3463f33f24297a72d47b2cd370N.exe omsecor.exe PID 2520 wrote to memory of 1936 2520 56273b3463f33f24297a72d47b2cd370N.exe omsecor.exe PID 2520 wrote to memory of 1936 2520 56273b3463f33f24297a72d47b2cd370N.exe omsecor.exe PID 1936 wrote to memory of 3036 1936 omsecor.exe omsecor.exe PID 1936 wrote to memory of 3036 1936 omsecor.exe omsecor.exe PID 1936 wrote to memory of 3036 1936 omsecor.exe omsecor.exe PID 1936 wrote to memory of 3036 1936 omsecor.exe omsecor.exe PID 3036 wrote to memory of 2976 3036 omsecor.exe omsecor.exe PID 3036 wrote to memory of 2976 3036 omsecor.exe omsecor.exe PID 3036 wrote to memory of 2976 3036 omsecor.exe omsecor.exe PID 3036 wrote to memory of 2976 3036 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5ce7aa3954c5dcdafdbf8443875850f25
SHA13d5d362d4ee07bcce26666ba0a38a99581b0be8e
SHA256d2f7023e0f5893887e70f311ae4f4c4321a857509b0ef5522ab83fc25b5a1d72
SHA51235dd7c23b771074e71e6d3d1afd5cf4c65f48eeec3c3abfc5b22f33fc27a4f473d891b3d748ae2eee9122302deb19b00f76dd3ac553485fb5cbda192766f2897
-
Filesize
35KB
MD528f7b42bc3a38fa59e152eadbe67e32d
SHA165ce4848621354701a14a380fa9903b21460e977
SHA25694dc7b5e601bc356095a3a6371e8dc393597a946a5cddc73e497b6fb749df6c8
SHA512f84ff50dd9b4a9166b77df75b52dfa217a5acf4ff05a13fbd4fb162f2a29980e6f46e24c821d00d914f87a4088d8e739eced088ef78963c781ba0ab6d07eece8
-
Filesize
35KB
MD50ce8cedc297e182c1494c3b83ac7eb0a
SHA1a67a247d2e1f93e399ed453ffc34fc8000dd2745
SHA256119c0730e11693aa2e8e7b0673d6e69c020433a534521433b72f8ae696ced20a
SHA5128d5db0e7e1f962a6293be140ea590f2c2aafe933708b51e697c3912f08e9836b0dc1cf0869c564ea4184f4c8398d4d067812e38ff24ad647edbe2a5b03d13535