Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 23:50
Behavioral task
behavioral1
Sample
8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe
Resource
win7-20240508-en
General
-
Target
8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe
-
Size
92KB
-
MD5
7340d2844dd924e0212e3a89e112256d
-
SHA1
50bf89c4aea84ef2fc2707ec31297bac8c757a18
-
SHA256
8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b
-
SHA512
02d7b946959899ad6b3c82f307e4cc3dfe6d50c289fbec294fe5c16dc01ce3106973e83e2085d58e0861e0e1a56ec73144044db9d457c9667aae5fd37800103d
-
SSDEEP
768:8MEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:8bIYYvoE1FKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1564 omsecor.exe 4768 omsecor.exe 2732 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exeomsecor.exeomsecor.exedescription pid process target process PID 744 wrote to memory of 1564 744 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe omsecor.exe PID 744 wrote to memory of 1564 744 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe omsecor.exe PID 744 wrote to memory of 1564 744 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe omsecor.exe PID 1564 wrote to memory of 4768 1564 omsecor.exe omsecor.exe PID 1564 wrote to memory of 4768 1564 omsecor.exe omsecor.exe PID 1564 wrote to memory of 4768 1564 omsecor.exe omsecor.exe PID 4768 wrote to memory of 2732 4768 omsecor.exe omsecor.exe PID 4768 wrote to memory of 2732 4768 omsecor.exe omsecor.exe PID 4768 wrote to memory of 2732 4768 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe"C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2732
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD597222e1edc2628a6c308311e21183124
SHA1869bab22c55cbbd176768315d563c00df0cd7415
SHA2564a4207efdf916748feda5ec281d1bf7ed99a36edec56ffa87006a4bc316063d2
SHA512fe6caae00be0dca45a52c27b4b50e391dac3ba69940615d422f63015fb4a5dfaa83e57097e089f7c282b22ee66fbf3854f51a0df300381fb7bf6065b5a2dd248
-
Filesize
92KB
MD52a27191f0dfc9299ba6b3173548ed99a
SHA1e2c92d92a9883162287295e37bd8b0dfd42b8452
SHA256ecea83e57434f4c6428ba071790cf9c6b5e7fa0a93b5add3abd08868cbe422c2
SHA5122873fb59637cbdf76a3bbf29f9bcb2958527d1fe5aebdd7117e6aa81516d21a0fe9a73beb37cece0ebf11cd4a2f7b95e21d55c023799509677a54da0dad423ef
-
Filesize
92KB
MD559b719d9cb0cec45d20a7dafd2b5cdd3
SHA1d5afdcea6550766a235cca0167dffda7b5cf90c7
SHA256f695128ac266234ee50fd296c9910c8f94a07c8a6cbf184033fe99ab865b4fe9
SHA512c6db6c601536e3897bf3514f077be77d2677e37d6a37634c1811ee5fecf96faec383f62bdaec65c23c0316a15f5feb317bc9a3443ec7af30b0c4e03e6127a01d