Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 22:30
Behavioral task
behavioral1
Sample
668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe
Resource
win7-20240221-en
General
-
Target
668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe
-
Size
65KB
-
MD5
05a2c5419bb6147524a16d30fe6aafb1
-
SHA1
ee84a1d03382323ab247c3cb7d93a1646b0e4b44
-
SHA256
668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23
-
SHA512
a81d53fa400ad68f18de55055e32fd08ab656b9e2c9e4cc58dd6c8cd04df46a55a390b24a22a359cc37a054ce4df9f28a9d12de970d0f654e1aaba6a788230fb
-
SSDEEP
1536:wd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZcl/5:wdseIO+EZEyFjEOFqTiQmOl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1848 omsecor.exe 5056 omsecor.exe 3388 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exeomsecor.exeomsecor.exedescription pid process target process PID 4016 wrote to memory of 1848 4016 668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe omsecor.exe PID 4016 wrote to memory of 1848 4016 668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe omsecor.exe PID 4016 wrote to memory of 1848 4016 668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe omsecor.exe PID 1848 wrote to memory of 5056 1848 omsecor.exe omsecor.exe PID 1848 wrote to memory of 5056 1848 omsecor.exe omsecor.exe PID 1848 wrote to memory of 5056 1848 omsecor.exe omsecor.exe PID 5056 wrote to memory of 3388 5056 omsecor.exe omsecor.exe PID 5056 wrote to memory of 3388 5056 omsecor.exe omsecor.exe PID 5056 wrote to memory of 3388 5056 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe"C:\Users\Admin\AppData\Local\Temp\668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3388
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5471a54186f304e888e1cbc348fe47973
SHA1677f2214e707647aa5c28b3e035c9d78c5039357
SHA256c4ce6134c2a8185a5d2e5fb1471ba922f162d253a05bca8717ff0b49638e9e58
SHA5120d23f52902d05be8838278fe6676b63c914157123f8ba54e3e9d7b511abf944d4bb8f3ac6efa429fa855c98517ad9be875845d59bdb943669603e40c77aa3f54
-
Filesize
65KB
MD5967fb98aba3fb7e9d8729fceee6ad210
SHA1f29a856ec32285357ed5ccbeba1d03142a001825
SHA256a65f620bd1fc4f28e92c585ef798b11e76d1bd4065a80e24fe5bd4e5b2ca3fbc
SHA512c43ff7a0b146d9b96bc56aee82480486ffd7f31831098ac2b4db28ed45e64c2438f3a99e9ff7c93aff308fe9295f25aa04e68e4f843e4664ca8a6ebb6395d734
-
Filesize
65KB
MD5cf90b2244fe9a486b47dacec33833727
SHA15a940f1ed45cdcb8b2b3f071aebd19035144be6e
SHA2564a99cc15081333621dfdf8ddbab324b80f238af513b1ad65758df5e856950f1d
SHA512ef9de49c1c5f2bda951a026428b3d28aeaf48ed19b7f61af80f96282361e128efcf7160bf2515dbf1858025a1c907a30780af72a820fb12e342b9a58fcae1cf5