Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 08:15
Static task
static1
Behavioral task
behavioral1
Sample
c043a6848651cac877da7111b7598ca0N.exe
Resource
win7-20240704-en
General
-
Target
c043a6848651cac877da7111b7598ca0N.exe
-
Size
96KB
-
MD5
c043a6848651cac877da7111b7598ca0
-
SHA1
0a876e46734253b0968efef4d2144a8646055141
-
SHA256
114c7ca3fd3612e92a0dc50585557558e5f9fec2431c69fcc4201233e9e06b5d
-
SHA512
2c526c124449a14bb82fdfba004f63813e9f002fb550136f62d39ceb6bd63d879c55fe6a8af36b6586d3536d2db25def9885325de815074e85e6239f0d04fd20
-
SSDEEP
1536:cnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:cGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2100 omsecor.exe 2172 omsecor.exe 2908 omsecor.exe 496 omsecor.exe 2276 omsecor.exe 2200 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
c043a6848651cac877da7111b7598ca0N.exeomsecor.exeomsecor.exeomsecor.exepid process 2360 c043a6848651cac877da7111b7598ca0N.exe 2360 c043a6848651cac877da7111b7598ca0N.exe 2100 omsecor.exe 2172 omsecor.exe 2172 omsecor.exe 496 omsecor.exe 496 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
c043a6848651cac877da7111b7598ca0N.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2112 set thread context of 2360 2112 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 2100 set thread context of 2172 2100 omsecor.exe omsecor.exe PID 2908 set thread context of 496 2908 omsecor.exe omsecor.exe PID 2276 set thread context of 2200 2276 omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exeomsecor.exec043a6848651cac877da7111b7598ca0N.exec043a6848651cac877da7111b7598ca0N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c043a6848651cac877da7111b7598ca0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c043a6848651cac877da7111b7598ca0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
c043a6848651cac877da7111b7598ca0N.exec043a6848651cac877da7111b7598ca0N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2112 wrote to memory of 2360 2112 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 2112 wrote to memory of 2360 2112 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 2112 wrote to memory of 2360 2112 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 2112 wrote to memory of 2360 2112 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 2112 wrote to memory of 2360 2112 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 2112 wrote to memory of 2360 2112 c043a6848651cac877da7111b7598ca0N.exe c043a6848651cac877da7111b7598ca0N.exe PID 2360 wrote to memory of 2100 2360 c043a6848651cac877da7111b7598ca0N.exe omsecor.exe PID 2360 wrote to memory of 2100 2360 c043a6848651cac877da7111b7598ca0N.exe omsecor.exe PID 2360 wrote to memory of 2100 2360 c043a6848651cac877da7111b7598ca0N.exe omsecor.exe PID 2360 wrote to memory of 2100 2360 c043a6848651cac877da7111b7598ca0N.exe omsecor.exe PID 2100 wrote to memory of 2172 2100 omsecor.exe omsecor.exe PID 2100 wrote to memory of 2172 2100 omsecor.exe omsecor.exe PID 2100 wrote to memory of 2172 2100 omsecor.exe omsecor.exe PID 2100 wrote to memory of 2172 2100 omsecor.exe omsecor.exe PID 2100 wrote to memory of 2172 2100 omsecor.exe omsecor.exe PID 2100 wrote to memory of 2172 2100 omsecor.exe omsecor.exe PID 2172 wrote to memory of 2908 2172 omsecor.exe omsecor.exe PID 2172 wrote to memory of 2908 2172 omsecor.exe omsecor.exe PID 2172 wrote to memory of 2908 2172 omsecor.exe omsecor.exe PID 2172 wrote to memory of 2908 2172 omsecor.exe omsecor.exe PID 2908 wrote to memory of 496 2908 omsecor.exe omsecor.exe PID 2908 wrote to memory of 496 2908 omsecor.exe omsecor.exe PID 2908 wrote to memory of 496 2908 omsecor.exe omsecor.exe PID 2908 wrote to memory of 496 2908 omsecor.exe omsecor.exe PID 2908 wrote to memory of 496 2908 omsecor.exe omsecor.exe PID 2908 wrote to memory of 496 2908 omsecor.exe omsecor.exe PID 496 wrote to memory of 2276 496 omsecor.exe omsecor.exe PID 496 wrote to memory of 2276 496 omsecor.exe omsecor.exe PID 496 wrote to memory of 2276 496 omsecor.exe omsecor.exe PID 496 wrote to memory of 2276 496 omsecor.exe omsecor.exe PID 2276 wrote to memory of 2200 2276 omsecor.exe omsecor.exe PID 2276 wrote to memory of 2200 2276 omsecor.exe omsecor.exe PID 2276 wrote to memory of 2200 2276 omsecor.exe omsecor.exe PID 2276 wrote to memory of 2200 2276 omsecor.exe omsecor.exe PID 2276 wrote to memory of 2200 2276 omsecor.exe omsecor.exe PID 2276 wrote to memory of 2200 2276 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c043a6848651cac877da7111b7598ca0N.exe"C:\Users\Admin\AppData\Local\Temp\c043a6848651cac877da7111b7598ca0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\c043a6848651cac877da7111b7598ca0N.exeC:\Users\Admin\AppData\Local\Temp\c043a6848651cac877da7111b7598ca0N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5d1e9384d8e1f5c8012a8890c54c0f96a
SHA109ec21291fdc3b80fc53e8147ca243082c86b67f
SHA256d3675b6326f4a3956acc4bb1aa152f74ccbceed6a4e581fae435e2cb6fdb7175
SHA51257ec0547d76fb63a1325f5a6ff8930d364520f518c06c10e681bd3db1c3d59e5683a368a762ba731a0a2d805aa0170ed5789de20e75fcbc10bab86bf62ed026d
-
Filesize
96KB
MD5cdac8d4fc89178d707bb21a22b15220d
SHA1e2c566106ad8a407713d74b95e6417dde920466a
SHA256ad5cea1cad0a4ed8b3636a103ef742d6c373b75e3ae4816f312cd6afd285d3dc
SHA512f2566f95b8ae95fcd2a2679cae39039913a2e5f9115e80180095261791f6041de250c3fd6c3b3e0175fae95d27d3ae56af471aff3444065a71063321559a3547
-
Filesize
96KB
MD5d8260e02686fe2cf715baa5bae545f3a
SHA152f5d3e67aca8792cd5561f809be3d8c183ac70c
SHA2565e35e37ff7a45c6138b35e843128a40b45ffd70772367d80106215fc5d1da789
SHA5129116108ac7d16ec683ae960d988d17b0ce976479997e7778f5c2dfc9f787b32ff6092d853748c3ce1b76b6f8239dd4571e748a2ecfd686ef11e088b2e9b23ce7