Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 12:42
Behavioral task
behavioral1
Sample
4f8b5ded61b51de6d2d27f0e2a473a30N.exe
Resource
win7-20240705-en
General
-
Target
4f8b5ded61b51de6d2d27f0e2a473a30N.exe
-
Size
248KB
-
MD5
4f8b5ded61b51de6d2d27f0e2a473a30
-
SHA1
3d58be86f9b50ae09a0a0a71521297dd241aefc6
-
SHA256
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707
-
SHA512
ebc97a82579408b5d44440877927033517f21d24f83d0a1147b8840585c3f43d726067d12112fab1029e8e0abc9f781748de86f1defd4f36c89865b980dccb4b
-
SSDEEP
1536:I4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:IIdseIO+EZEyFjEOFqTiQmGnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 580 omsecor.exe 2420 omsecor.exe 1808 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
4f8b5ded61b51de6d2d27f0e2a473a30N.exeomsecor.exeomsecor.exepid process 2112 4f8b5ded61b51de6d2d27f0e2a473a30N.exe 2112 4f8b5ded61b51de6d2d27f0e2a473a30N.exe 580 omsecor.exe 580 omsecor.exe 2420 omsecor.exe 2420 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2112-0-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2112-4-0x00000000003C0000-0x00000000003FE000-memory.dmp upx behavioral1/memory/2112-9-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/580-13-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/580-14-0x0000000000400000-0x000000000043E000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2420-29-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/580-26-0x0000000000400000-0x000000000043E000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1808-38-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1808-40-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4f8b5ded61b51de6d2d27f0e2a473a30N.exeomsecor.exeomsecor.exeomsecor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f8b5ded61b51de6d2d27f0e2a473a30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4f8b5ded61b51de6d2d27f0e2a473a30N.exeomsecor.exeomsecor.exedescription pid process target process PID 2112 wrote to memory of 580 2112 4f8b5ded61b51de6d2d27f0e2a473a30N.exe omsecor.exe PID 2112 wrote to memory of 580 2112 4f8b5ded61b51de6d2d27f0e2a473a30N.exe omsecor.exe PID 2112 wrote to memory of 580 2112 4f8b5ded61b51de6d2d27f0e2a473a30N.exe omsecor.exe PID 2112 wrote to memory of 580 2112 4f8b5ded61b51de6d2d27f0e2a473a30N.exe omsecor.exe PID 580 wrote to memory of 2420 580 omsecor.exe omsecor.exe PID 580 wrote to memory of 2420 580 omsecor.exe omsecor.exe PID 580 wrote to memory of 2420 580 omsecor.exe omsecor.exe PID 580 wrote to memory of 2420 580 omsecor.exe omsecor.exe PID 2420 wrote to memory of 1808 2420 omsecor.exe omsecor.exe PID 2420 wrote to memory of 1808 2420 omsecor.exe omsecor.exe PID 2420 wrote to memory of 1808 2420 omsecor.exe omsecor.exe PID 2420 wrote to memory of 1808 2420 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5795a05ea0a425d39884d9c4208eb97c1
SHA13c73418c3cbb03e1d1b3fd8013592f3a37cc0e6d
SHA256c404c802a258fd59508f2dcf9413a8dfee514536b62ada156d0ee74e2b216c17
SHA51255682933038eae5bff03445095395f883ea7df84d65753dcc70a2a073af3bcf4e634e59be3a61833eda48ff852fec011341744e2ddeb04b57891c86c81c6288a
-
Filesize
248KB
MD56820478f28bae667442e0ab68a7c6def
SHA182f1f543fc7a3acc19db33a9df8030daf521b817
SHA256854a233b0716bee7324222f319a9a755b953082a5b8e7a44669914e4ad852c7b
SHA512764ff72cffb930dab70b468c1b749f2e57844f661e412d9cb5b097f64b2e2b91fb9a62ca7cba9edf36f9e6bab1b1087a901eb8e43357f943b14656d216cde42d
-
Filesize
248KB
MD5ae6f0b928ca26be64f734eb0ff37ae6e
SHA1511ff1c9568b6e90f3aba9ef366bf540b6f12506
SHA2564d959b2f8ce32d54e5717a915a6f66f4e0eb2d005615424cb370f9412c072613
SHA512cec89a4f6f578711f969cd01d2636adc3dbccd3e4679d9c80cbe8c99a26e37dfb1b859a1482b4d1288667f82da29329e730defc48673d512becb92adaf657a98