Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 12:24
Static task
static1
Behavioral task
behavioral1
Sample
9b4365610bf5ba273c19d4b6b59ac470N.exe
Resource
win7-20240708-en
General
-
Target
9b4365610bf5ba273c19d4b6b59ac470N.exe
-
Size
96KB
-
MD5
9b4365610bf5ba273c19d4b6b59ac470
-
SHA1
fda8f31b460070e32a27d7577a6ce4f28702d7d7
-
SHA256
4cb6f4971f521c34fd0b117fe667e17dd2202b4e0447df1f1c55f78b8252fc51
-
SHA512
6f4f42c772360d10550195000f7578f380a3bc2d24d0d6ea892a96388a57f88a946c99860d67e1579951e1229919dfeba33eef73ccbe3f92dc115506bcfe16df
-
SSDEEP
1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:4Gs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2804 omsecor.exe 2560 omsecor.exe 2896 omsecor.exe 684 omsecor.exe 2184 omsecor.exe 2948 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
9b4365610bf5ba273c19d4b6b59ac470N.exeomsecor.exeomsecor.exeomsecor.exepid process 892 9b4365610bf5ba273c19d4b6b59ac470N.exe 892 9b4365610bf5ba273c19d4b6b59ac470N.exe 2804 omsecor.exe 2560 omsecor.exe 2560 omsecor.exe 684 omsecor.exe 684 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
9b4365610bf5ba273c19d4b6b59ac470N.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 1152 set thread context of 892 1152 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 2804 set thread context of 2560 2804 omsecor.exe omsecor.exe PID 2896 set thread context of 684 2896 omsecor.exe omsecor.exe PID 2184 set thread context of 2948 2184 omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
omsecor.exeomsecor.exe9b4365610bf5ba273c19d4b6b59ac470N.exe9b4365610bf5ba273c19d4b6b59ac470N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b4365610bf5ba273c19d4b6b59ac470N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b4365610bf5ba273c19d4b6b59ac470N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
9b4365610bf5ba273c19d4b6b59ac470N.exe9b4365610bf5ba273c19d4b6b59ac470N.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 1152 wrote to memory of 892 1152 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 1152 wrote to memory of 892 1152 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 1152 wrote to memory of 892 1152 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 1152 wrote to memory of 892 1152 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 1152 wrote to memory of 892 1152 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 1152 wrote to memory of 892 1152 9b4365610bf5ba273c19d4b6b59ac470N.exe 9b4365610bf5ba273c19d4b6b59ac470N.exe PID 892 wrote to memory of 2804 892 9b4365610bf5ba273c19d4b6b59ac470N.exe omsecor.exe PID 892 wrote to memory of 2804 892 9b4365610bf5ba273c19d4b6b59ac470N.exe omsecor.exe PID 892 wrote to memory of 2804 892 9b4365610bf5ba273c19d4b6b59ac470N.exe omsecor.exe PID 892 wrote to memory of 2804 892 9b4365610bf5ba273c19d4b6b59ac470N.exe omsecor.exe PID 2804 wrote to memory of 2560 2804 omsecor.exe omsecor.exe PID 2804 wrote to memory of 2560 2804 omsecor.exe omsecor.exe PID 2804 wrote to memory of 2560 2804 omsecor.exe omsecor.exe PID 2804 wrote to memory of 2560 2804 omsecor.exe omsecor.exe PID 2804 wrote to memory of 2560 2804 omsecor.exe omsecor.exe PID 2804 wrote to memory of 2560 2804 omsecor.exe omsecor.exe PID 2560 wrote to memory of 2896 2560 omsecor.exe omsecor.exe PID 2560 wrote to memory of 2896 2560 omsecor.exe omsecor.exe PID 2560 wrote to memory of 2896 2560 omsecor.exe omsecor.exe PID 2560 wrote to memory of 2896 2560 omsecor.exe omsecor.exe PID 2896 wrote to memory of 684 2896 omsecor.exe omsecor.exe PID 2896 wrote to memory of 684 2896 omsecor.exe omsecor.exe PID 2896 wrote to memory of 684 2896 omsecor.exe omsecor.exe PID 2896 wrote to memory of 684 2896 omsecor.exe omsecor.exe PID 2896 wrote to memory of 684 2896 omsecor.exe omsecor.exe PID 2896 wrote to memory of 684 2896 omsecor.exe omsecor.exe PID 684 wrote to memory of 2184 684 omsecor.exe omsecor.exe PID 684 wrote to memory of 2184 684 omsecor.exe omsecor.exe PID 684 wrote to memory of 2184 684 omsecor.exe omsecor.exe PID 684 wrote to memory of 2184 684 omsecor.exe omsecor.exe PID 2184 wrote to memory of 2948 2184 omsecor.exe omsecor.exe PID 2184 wrote to memory of 2948 2184 omsecor.exe omsecor.exe PID 2184 wrote to memory of 2948 2184 omsecor.exe omsecor.exe PID 2184 wrote to memory of 2948 2184 omsecor.exe omsecor.exe PID 2184 wrote to memory of 2948 2184 omsecor.exe omsecor.exe PID 2184 wrote to memory of 2948 2184 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe"C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exeC:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD56123f4b0759183e2454f5cc37764fbc2
SHA147cf4c7aaa51499809b7c9367ff52620108b889c
SHA256827082545570a3be54af7070942aa80eeb715c084a7769631a6f4da2b0dfa6f4
SHA512503a34691cf99e9c58365df90ef1be3698f5a7b2093ef5712f32598e855373f343b2be4aa138e2f353a7651c549800da9a7d0dd211dc6e5d0049f859f565d67a
-
Filesize
96KB
MD519e259a2635674dc70fbcde2f1b6a1e3
SHA118c3fddda01c6396b130062035b411be35dfd785
SHA256ba58a831a5e8fd5272c5dd14230080236444c6bc07d5f2f9883933cffa891b24
SHA5121e4d74861121039184d4cd111dc8d89e9b7b751b3abb2d0850d673898ba88c2bb8c0c667feaed3c0bfd91530a554ccd54cd699e6d6d6e838fdfe87946d9b9bf9
-
Filesize
96KB
MD5d0d4388594bdc7a972a839e61316d9d8
SHA13e5d2d902b7bd43ce57b1738182913f5e6169c99
SHA25683f97cb3904c8c614e0437e454a86aae05de73ed7da3bf0079e513b01640cf78
SHA51252b7bf37a84de2c62c25362e930a7f27a3d1141f2b276bb926c064dc89a845107683962baa0d2ca1a388ba335370c0253f1bc7fbdfaf518161a60dcb035ca2a3