Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 04:27
Behavioral task
behavioral1
Sample
e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe
Resource
win7-20240903-en
General
-
Target
e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe
-
Size
35KB
-
MD5
bbdacc51c2b31dc41ba058aa23d5fee0
-
SHA1
5065cfc1b7c8b0395047c2701a09ab501b73f35d
-
SHA256
e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4
-
SHA512
5f2c73e6b3725a1b3f5e14601bf473bb4613ef670f133f763222c77d4a740cfacd0a2a753f87780cdc7ff7bcb71602dc039053f088998f6fd7cc53ad9f91d038
-
SSDEEP
768:26vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:N8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1060 omsecor.exe 1096 omsecor.exe 2940 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1732 e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe 1732 e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe 1060 omsecor.exe 1060 omsecor.exe 1096 omsecor.exe 1096 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
resource yara_rule behavioral1/memory/1732-0-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1732-9-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/files/0x00080000000120ff-11.dat upx behavioral1/memory/1060-12-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1732-10-0x00000000003C0000-0x00000000003ED000-memory.dmp upx behavioral1/memory/1060-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1060-17-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1060-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1060-23-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1060-26-0x0000000000430000-0x000000000045D000-memory.dmp upx behavioral1/files/0x0005000000004ed7-25.dat upx behavioral1/memory/1060-33-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/files/0x00080000000120ff-37.dat upx behavioral1/memory/2940-48-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1096-46-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2940-50-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2940-53-0x0000000000400000-0x000000000042D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1060 1732 e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe 30 PID 1732 wrote to memory of 1060 1732 e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe 30 PID 1732 wrote to memory of 1060 1732 e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe 30 PID 1732 wrote to memory of 1060 1732 e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe 30 PID 1060 wrote to memory of 1096 1060 omsecor.exe 33 PID 1060 wrote to memory of 1096 1060 omsecor.exe 33 PID 1060 wrote to memory of 1096 1060 omsecor.exe 33 PID 1060 wrote to memory of 1096 1060 omsecor.exe 33 PID 1096 wrote to memory of 2940 1096 omsecor.exe 34 PID 1096 wrote to memory of 2940 1096 omsecor.exe 34 PID 1096 wrote to memory of 2940 1096 omsecor.exe 34 PID 1096 wrote to memory of 2940 1096 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe"C:\Users\Admin\AppData\Local\Temp\e4b3b326799be4055842e0c04cca1c8547a9540157da3eade6fe7026b3711aa4.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD599b29f08d608ee5cf5480a7a19c061e8
SHA166c6c4a2862f62d059e58639779e95fb32649a28
SHA256fd22c4473216852573fadcb5523bc2003f4af90e584322c185c49fa973e69c4d
SHA5128917d96ad9ac64a9e36f29bb2823179862a78fe3f83b834dfd432d399f7391b89fd40bc3ed84bd78fe915969d3960b6e0e2c7804eddc0642997322eab67c4dbb
-
Filesize
35KB
MD5217c3999bd6238fe5fecb0569c989778
SHA1317a5d9e0698a2e328702d79d7dfa9b407dc705e
SHA25681680a664d2f789119e53548247032061b37fc56888eebc51b1e6e50e81df3ca
SHA5127827466ef1f5450f2ebfe9b2a3c836516f369cdc1bb16b1c35992495c7cfc30bbbcaba879c8efe003a7aff7952473be96bc00764e4973ec8083d4c6783972f2e
-
Filesize
35KB
MD50dc55960be5f8832f67fae235705aaed
SHA1b7a4e86cadad9f0267e79f9c0b9593627211291d
SHA25645fe8e2c7782aa2723f9f538332c72c5653089df7ffb88c16afcf8d39329d88b
SHA5124cf6223105f95290e7913425c3f1a86bd27d50c4a3be798ff56828726b367dc4cdbb0680d439867727cc675e539a39e9ab8e9642fc10b4ce4c800b6716d52b15