Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 12:48
Behavioral task
behavioral1
Sample
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe
Resource
win7-20240704-en
General
-
Target
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe
-
Size
248KB
-
MD5
4f8b5ded61b51de6d2d27f0e2a473a30
-
SHA1
3d58be86f9b50ae09a0a0a71521297dd241aefc6
-
SHA256
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707
-
SHA512
ebc97a82579408b5d44440877927033517f21d24f83d0a1147b8840585c3f43d726067d12112fab1029e8e0abc9f781748de86f1defd4f36c89865b980dccb4b
-
SSDEEP
1536:I4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:IIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1800 omsecor.exe 1552 omsecor.exe 1820 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exeomsecor.exeomsecor.exepid process 2096 feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe 2096 feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe 1800 omsecor.exe 1800 omsecor.exe 1552 omsecor.exe 1552 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2096-0-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1800-11-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2096-8-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1800-12-0x0000000000400000-0x000000000043E000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/1552-26-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1800-24-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1552-31-0x0000000000220000-0x000000000025E000-memory.dmp upx behavioral1/memory/1552-36-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1820-39-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exeomsecor.exeomsecor.exedescription pid process target process PID 2096 wrote to memory of 1800 2096 feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe omsecor.exe PID 2096 wrote to memory of 1800 2096 feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe omsecor.exe PID 2096 wrote to memory of 1800 2096 feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe omsecor.exe PID 2096 wrote to memory of 1800 2096 feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe omsecor.exe PID 1800 wrote to memory of 1552 1800 omsecor.exe omsecor.exe PID 1800 wrote to memory of 1552 1800 omsecor.exe omsecor.exe PID 1800 wrote to memory of 1552 1800 omsecor.exe omsecor.exe PID 1800 wrote to memory of 1552 1800 omsecor.exe omsecor.exe PID 1552 wrote to memory of 1820 1552 omsecor.exe omsecor.exe PID 1552 wrote to memory of 1820 1552 omsecor.exe omsecor.exe PID 1552 wrote to memory of 1820 1552 omsecor.exe omsecor.exe PID 1552 wrote to memory of 1820 1552 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe"C:\Users\Admin\AppData\Local\Temp\feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1820
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5795a05ea0a425d39884d9c4208eb97c1
SHA13c73418c3cbb03e1d1b3fd8013592f3a37cc0e6d
SHA256c404c802a258fd59508f2dcf9413a8dfee514536b62ada156d0ee74e2b216c17
SHA51255682933038eae5bff03445095395f883ea7df84d65753dcc70a2a073af3bcf4e634e59be3a61833eda48ff852fec011341744e2ddeb04b57891c86c81c6288a
-
Filesize
248KB
MD51defdbb35ed0f23dfe54eb9b2d84665f
SHA18d782b84b26e50776bb8bc69b1091ec4e09a6225
SHA256ec792cc3d26fedd8fd31917b2d8cc7ca6a05816f63ca8fff9e2111da57da7907
SHA51213101d4ba64b14ef36b98f3aed8f8fa803133f868d341dc34f5daef0d32522c886a562eca2d856fc1c171e2e23d435db2700892c1266e13f819a113368e975e2
-
Filesize
248KB
MD5073830242c1190b671df93695fa6475b
SHA187a8358984beeb52f3ac0be6283a37ef4eb2a2df
SHA256449d46f8e0b7ef9f23f1cc96b14446d199db93eb8c3c9cff5ca49a32b362d6b7
SHA512870768f5e88f709316b262c1eb6d7fdb60470b2908699d7ba63f8d6d6429d3360ca4cbf38932709b5180cc7892cfbe58bd197507573e9d4db8b1ac9b498b7eee