Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 10:24
Behavioral task
behavioral1
Sample
8eece6f5324bf1526d6e0881d638f170N.exe
Resource
win7-20240729-en
General
-
Target
8eece6f5324bf1526d6e0881d638f170N.exe
-
Size
248KB
-
MD5
8eece6f5324bf1526d6e0881d638f170
-
SHA1
d930a6fc12953b01a2afa7e9ed5c435d94f43c3b
-
SHA256
07f5cca07cc63a5f18e9d6851d88902c49aa4447873e183482e8d399e405f172
-
SHA512
70541a2ae65c5e34322ea2dee7c58465e46881a6f9b2c45bad7e989451de8f08d662365897db05d73272f5b73adfb07fd75ab7a0d25b0653a1c3411303e7b6fd
-
SSDEEP
1536:44d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:4IdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2084 omsecor.exe 2000 omsecor.exe 2860 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
8eece6f5324bf1526d6e0881d638f170N.exeomsecor.exeomsecor.exepid process 2848 8eece6f5324bf1526d6e0881d638f170N.exe 2848 8eece6f5324bf1526d6e0881d638f170N.exe 2084 omsecor.exe 2084 omsecor.exe 2000 omsecor.exe 2000 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2848-0-0x0000000000400000-0x000000000043E000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2084-10-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2848-8-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2084-12-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2084-17-0x0000000000340000-0x000000000037E000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2000-25-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2084-23-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2000-30-0x00000000001B0000-0x00000000001EE000-memory.dmp upx behavioral1/memory/2860-37-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2000-36-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2860-39-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exe8eece6f5324bf1526d6e0881d638f170N.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8eece6f5324bf1526d6e0881d638f170N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8eece6f5324bf1526d6e0881d638f170N.exeomsecor.exeomsecor.exedescription pid process target process PID 2848 wrote to memory of 2084 2848 8eece6f5324bf1526d6e0881d638f170N.exe omsecor.exe PID 2848 wrote to memory of 2084 2848 8eece6f5324bf1526d6e0881d638f170N.exe omsecor.exe PID 2848 wrote to memory of 2084 2848 8eece6f5324bf1526d6e0881d638f170N.exe omsecor.exe PID 2848 wrote to memory of 2084 2848 8eece6f5324bf1526d6e0881d638f170N.exe omsecor.exe PID 2084 wrote to memory of 2000 2084 omsecor.exe omsecor.exe PID 2084 wrote to memory of 2000 2084 omsecor.exe omsecor.exe PID 2084 wrote to memory of 2000 2084 omsecor.exe omsecor.exe PID 2084 wrote to memory of 2000 2084 omsecor.exe omsecor.exe PID 2000 wrote to memory of 2860 2000 omsecor.exe omsecor.exe PID 2000 wrote to memory of 2860 2000 omsecor.exe omsecor.exe PID 2000 wrote to memory of 2860 2000 omsecor.exe omsecor.exe PID 2000 wrote to memory of 2860 2000 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe"C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5f7f9a1f2f66382acc65a061290ba5f04
SHA16ac4dbed0e0489e9838f1cb8acec1d505e25de2d
SHA256f9d5e0817196061b67cc568d4792a55c5e8bf22b54e28f526efb9e062dfb8511
SHA512452dd256ef4439af62687ccfec1100d87c316ed2fa676be3d323c160bd0a6a4e6eacfe9c86560858453fe356f6fb804f9e03b9e090ce3f1518d603e9352fb0fa
-
Filesize
248KB
MD5fe272471d77337aa368c3dd332719aa3
SHA173edc07e632735a07496781930a3f1d23fc35af1
SHA2569d45051d123e2b379fc373f038029f18c6fcea29f9976118413a189b4455fbc9
SHA512cc18dc52df2d8dfc918f9456f5c335d9b571b105411b9def87be63697d979c1c9d530eb16848285acec67b5f6e19f6875f101c2f4628a387ea3b7677141ffb5e
-
Filesize
248KB
MD501a653e7f9aa8bfc811e1f4ff84af51f
SHA1639cba6d629cd95ab70f7064e79df8f41b20f793
SHA256529d89df0c8ea72d5e9e904362d7a0dc691273e76efff5b2b8f06717a3ba3745
SHA5127c840d11232dead28bf2de8498d527e36261f3260f7cbea562482fb7789dacb6965652bca4294b3178ef3129844a34f6a240bc35563ef114347f047f557e12da