Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 23:50
Behavioral task
behavioral1
Sample
8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe
Resource
win7-20240508-en
General
-
Target
8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe
-
Size
92KB
-
MD5
7340d2844dd924e0212e3a89e112256d
-
SHA1
50bf89c4aea84ef2fc2707ec31297bac8c757a18
-
SHA256
8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b
-
SHA512
02d7b946959899ad6b3c82f307e4cc3dfe6d50c289fbec294fe5c16dc01ce3106973e83e2085d58e0861e0e1a56ec73144044db9d457c9667aae5fd37800103d
-
SSDEEP
768:8MEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:8bIYYvoE1FKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1964 omsecor.exe 2692 omsecor.exe 1868 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exeomsecor.exeomsecor.exepid process 2988 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe 2988 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe 1964 omsecor.exe 1964 omsecor.exe 2692 omsecor.exe 2692 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exeomsecor.exeomsecor.exedescription pid process target process PID 2988 wrote to memory of 1964 2988 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe omsecor.exe PID 2988 wrote to memory of 1964 2988 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe omsecor.exe PID 2988 wrote to memory of 1964 2988 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe omsecor.exe PID 2988 wrote to memory of 1964 2988 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe omsecor.exe PID 1964 wrote to memory of 2692 1964 omsecor.exe omsecor.exe PID 1964 wrote to memory of 2692 1964 omsecor.exe omsecor.exe PID 1964 wrote to memory of 2692 1964 omsecor.exe omsecor.exe PID 1964 wrote to memory of 2692 1964 omsecor.exe omsecor.exe PID 2692 wrote to memory of 1868 2692 omsecor.exe omsecor.exe PID 2692 wrote to memory of 1868 2692 omsecor.exe omsecor.exe PID 2692 wrote to memory of 1868 2692 omsecor.exe omsecor.exe PID 2692 wrote to memory of 1868 2692 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe"C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1868
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD52a27191f0dfc9299ba6b3173548ed99a
SHA1e2c92d92a9883162287295e37bd8b0dfd42b8452
SHA256ecea83e57434f4c6428ba071790cf9c6b5e7fa0a93b5add3abd08868cbe422c2
SHA5122873fb59637cbdf76a3bbf29f9bcb2958527d1fe5aebdd7117e6aa81516d21a0fe9a73beb37cece0ebf11cd4a2f7b95e21d55c023799509677a54da0dad423ef
-
Filesize
92KB
MD5c80865ea75fcca4187e888cb33d32115
SHA1b444ef642018a0358e8c996580efe4c017235f83
SHA256d03e60079cfdacdb6a0892e3817b56ef71e9f055981e5d990fa6286ef9398cd7
SHA5123c78bd4d4f97acb6416f39a8d34cd5b111df9d62e86aa911dd793e2fd7d7038673d0023eb26477b6edb200ec1196d03a2a158b5d3afca88d9e78c4afe63c323b
-
Filesize
92KB
MD5e66f2d96e95f784919c5ec7f904c7843
SHA145a181e41bc464272874ec19fa8c46f6898f36c1
SHA25699b4dfdf381642f85d32772759bb9a0efb476d286ce5cb63564ae392165dbd1b
SHA512ee432d3deabd74a5d5384f4b23e2bb696016485563e7c671e88d3066b4abc651ecb6788bb73776dd98230c18afe84f1b284766c3a34cbef5b8db32393d58b9f4