Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 21:34
Behavioral task
behavioral1
Sample
50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe
Resource
win7-20240508-en
General
-
Target
50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe
-
Size
73KB
-
MD5
372368f243b6e6b68d93ece33065a7c0
-
SHA1
1db74e410b302830739be85335b4d585759a4348
-
SHA256
50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0
-
SHA512
06dd900cf1c7a430b6247cbc72bcfd878f54360722d4cb6485bc9795c84fb570ecbdde82e24155b63479a55858edfeaead224e5fdbc4acd02e0ab52c1e759647
-
SSDEEP
1536:zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 4964 omsecor.exe 3176 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exeomsecor.exedescription pid process target process PID 4972 wrote to memory of 4964 4972 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe omsecor.exe PID 4972 wrote to memory of 4964 4972 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe omsecor.exe PID 4972 wrote to memory of 4964 4972 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe omsecor.exe PID 4964 wrote to memory of 3176 4964 omsecor.exe omsecor.exe PID 4964 wrote to memory of 3176 4964 omsecor.exe omsecor.exe PID 4964 wrote to memory of 3176 4964 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3176
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5540b9b67841d4199b21880644c909be1
SHA1529a68d19b90f49eeb0275660661734dd0071abc
SHA256c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b
SHA51218b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940
-
Filesize
73KB
MD51de9e1c6719ac9d020b79eb85aa3951f
SHA108ee657ab95b829d8730232278e20f9a10b5fcaa
SHA256078d8748c33fd6e646a6b7a7970bf2d1f2f89089ffa13fb34d4848bff1bd2608
SHA51293b727ef35e3601b15c36651e303bc130b8f119cf960bb478e8568808fbb3e95d69149fc7490da459a730cd29a815b5c111f410b7271ca1ff7ed6c423f46e0ed