c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4

Analysis

max time kernel
131s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe
Size

128KB
MD5

06ebcf5908d227d1d26acb2f73825287
SHA1

4bf3eab2f52f0984dfc4ef0dbfe8fa3993ac9ffe
SHA256

c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4
SHA512

bde1ddaf8d71952f74c5076be33e5fa67ce06d295690430eb57d3ee70ae1691aa8c7b88f3a8365ca2efc4facb7209f6d55cc28fb22dac22d1c6019d95dc8dad1
SSDEEP

1536:DDfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:PiRTe3n8BMAW6J6f1tqF6dngNmaZrN

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4140	omsecor.exe
4680	omsecor.exe
4152	omsecor.exe
3136	omsecor.exe
4632	omsecor.exe
4744	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 3272	2828	c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe	84
PID 4140 set thread context of 4680	4140	omsecor.exe	88
PID 4152 set thread context of 3136	4152	omsecor.exe	99
PID 4632 set thread context of 4744	4632	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2236	2828	WerFault.exe	83
1004	4140	WerFault.exe	86
1188	4152	WerFault.exe	98
2228	4632	WerFault.exe	102

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3272	2828	c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe	84
PID 2828 wrote to memory of 3272	2828	c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe	84
PID 2828 wrote to memory of 3272	2828	c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe	84
PID 2828 wrote to memory of 3272	2828	c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe	84
PID 2828 wrote to memory of 3272	2828	c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe	84
PID 3272 wrote to memory of 4140	3272	c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe	86
PID 3272 wrote to memory of 4140	3272	c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe	86
PID 3272 wrote to memory of 4140	3272	c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe	86
PID 4140 wrote to memory of 4680	4140	omsecor.exe	88
PID 4140 wrote to memory of 4680	4140	omsecor.exe	88
PID 4140 wrote to memory of 4680	4140	omsecor.exe	88
PID 4140 wrote to memory of 4680	4140	omsecor.exe	88
PID 4140 wrote to memory of 4680	4140	omsecor.exe	88
PID 4680 wrote to memory of 4152	4680	omsecor.exe	98
PID 4680 wrote to memory of 4152	4680	omsecor.exe	98
PID 4680 wrote to memory of 4152	4680	omsecor.exe	98
PID 4152 wrote to memory of 3136	4152	omsecor.exe	99
PID 4152 wrote to memory of 3136	4152	omsecor.exe	99
PID 4152 wrote to memory of 3136	4152	omsecor.exe	99
PID 4152 wrote to memory of 3136	4152	omsecor.exe	99
PID 4152 wrote to memory of 3136	4152	omsecor.exe	99
PID 3136 wrote to memory of 4632	3136	omsecor.exe	102
PID 3136 wrote to memory of 4632	3136	omsecor.exe	102
PID 3136 wrote to memory of 4632	3136	omsecor.exe	102
PID 4632 wrote to memory of 4744	4632	omsecor.exe	103
PID 4632 wrote to memory of 4744	4632	omsecor.exe	103
PID 4632 wrote to memory of 4744	4632	omsecor.exe	103
PID 4632 wrote to memory of 4744	4632	omsecor.exe	103
PID 4632 wrote to memory of 4744	4632	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe
"C:\Users\Admin\AppData\Local\Temp\c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe
  C:\Users\Admin\AppData\Local\Temp\c0b16736cf7c63bfa3fdba258a72cb84c8f94dc07154bf3110167dd5d74ea3c4.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4680
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 256
        8⤵
        Program crash
        
        PID:2228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 292
        6⤵
        Program crash
        
        PID:1188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 300
      4⤵
      Program crash
      PID:1004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 288
  2⤵
  - Program crash
  PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2828 -ip 2828
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4140 -ip 4140
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4152 -ip 4152
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4632 -ip 4632
1⤵
PID:3736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
d1646fb6280e2c4524e8e67dde0fe6e8

SHA1
28fc06930a36a1b596b33183c954e743f2425754

SHA256
079cff1741695df7d78dd357fc41bf22b7867f97e9785d3e8520eb131b8b1a55

SHA512
3e610cb22cd5c2319969f01c5a400921b15ef37b673030a248e5fd353ff66acea87f4e980fbbcb28814a2c751b5443a74bd51b43cd9ea9749a52c0b445a50acf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
d1646fb6280e2c4524e8e67dde0fe6e8

SHA1
28fc06930a36a1b596b33183c954e743f2425754

SHA256
079cff1741695df7d78dd357fc41bf22b7867f97e9785d3e8520eb131b8b1a55

SHA512
3e610cb22cd5c2319969f01c5a400921b15ef37b673030a248e5fd353ff66acea87f4e980fbbcb28814a2c751b5443a74bd51b43cd9ea9749a52c0b445a50acf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
d1646fb6280e2c4524e8e67dde0fe6e8

SHA1
28fc06930a36a1b596b33183c954e743f2425754

SHA256
079cff1741695df7d78dd357fc41bf22b7867f97e9785d3e8520eb131b8b1a55

SHA512
3e610cb22cd5c2319969f01c5a400921b15ef37b673030a248e5fd353ff66acea87f4e980fbbcb28814a2c751b5443a74bd51b43cd9ea9749a52c0b445a50acf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
748145b3d3567b01f0b870745ee9031b

SHA1
4d1273c9c69fe163ec7ff5b8423a63634973e266

SHA256
a89503f7f98da7fc471b98c9a9c18bb2996ec983380e5ef09f28977ca5512c5e

SHA512
56fb9fe12819f74ec57f954ccf67b687a2e5a9f2f65f2b6909b0b14f0cfdba1eb89610bc196f1f23d910ade03892804448a884b91a166a4fc78bf1503fb62234

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
748145b3d3567b01f0b870745ee9031b

SHA1
4d1273c9c69fe163ec7ff5b8423a63634973e266

SHA256
a89503f7f98da7fc471b98c9a9c18bb2996ec983380e5ef09f28977ca5512c5e

SHA512
56fb9fe12819f74ec57f954ccf67b687a2e5a9f2f65f2b6909b0b14f0cfdba1eb89610bc196f1f23d910ade03892804448a884b91a166a4fc78bf1503fb62234

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
748145b3d3567b01f0b870745ee9031b

SHA1
4d1273c9c69fe163ec7ff5b8423a63634973e266

SHA256
a89503f7f98da7fc471b98c9a9c18bb2996ec983380e5ef09f28977ca5512c5e

SHA512
56fb9fe12819f74ec57f954ccf67b687a2e5a9f2f65f2b6909b0b14f0cfdba1eb89610bc196f1f23d910ade03892804448a884b91a166a4fc78bf1503fb62234

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
c35e539e5b105628614df745b8d89150

SHA1
033fed47c57c5796d2d5746d054dbeff0174aba2

SHA256
cc2f0f1a450ff8868a1ce265d23226f33641e4d70212fbe6560516e932ab6f57

SHA512
42b3913c13cd7467642361c13ecdcd410f8d3a50ef2ef912c28bf59c68121121d9ee61f9fbf72674ecaa0012643b18d99f54303cd74eb37b06c75f73f7c300cb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
c35e539e5b105628614df745b8d89150

SHA1
033fed47c57c5796d2d5746d054dbeff0174aba2

SHA256
cc2f0f1a450ff8868a1ce265d23226f33641e4d70212fbe6560516e932ab6f57

SHA512
42b3913c13cd7467642361c13ecdcd410f8d3a50ef2ef912c28bf59c68121121d9ee61f9fbf72674ecaa0012643b18d99f54303cd74eb37b06c75f73f7c300cb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
c35e539e5b105628614df745b8d89150

SHA1
033fed47c57c5796d2d5746d054dbeff0174aba2

SHA256
cc2f0f1a450ff8868a1ce265d23226f33641e4d70212fbe6560516e932ab6f57

SHA512
42b3913c13cd7467642361c13ecdcd410f8d3a50ef2ef912c28bf59c68121121d9ee61f9fbf72674ecaa0012643b18d99f54303cd74eb37b06c75f73f7c300cb

Download Submit
memory/3136-157-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3136-154-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3136-153-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3272-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3272-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3272-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3272-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4680-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4680-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4680-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4680-149-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4744-162-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4744-163-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4744-164-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download