Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 18:15
Behavioral task
behavioral1
Sample
03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe
Resource
win7-20240508-en
General
-
Target
03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe
-
Size
35KB
-
MD5
3f18b1f77502bb5435240e0fcb88e7d7
-
SHA1
350c92fe0c3912118364e011d50fafa6bb0e2ebd
-
SHA256
03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820
-
SHA512
2ac839c697abadd5c50f9bd9a1b28229449e7068ec97f544f600a00cd97316e3640a19fceeabfd64937d8744c62f8aabe449cf9a5250eec2edb946a6384ab23b
-
SSDEEP
768:r6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:W8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
UPX dump on OEP (original entry point) 18 IoCs
Processes:
resource yara_rule behavioral1/memory/1708-0-0x0000000000400000-0x000000000042D000-memory.dmp UPX \Users\Admin\AppData\Roaming\omsecor.exe UPX behavioral1/memory/1708-4-0x00000000002A0000-0x00000000002CD000-memory.dmp UPX behavioral1/memory/1708-10-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2444-13-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2444-14-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2444-17-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2444-20-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2444-23-0x0000000000400000-0x000000000042D000-memory.dmp UPX \Windows\SysWOW64\omsecor.exe UPX behavioral1/memory/2444-26-0x0000000000320000-0x000000000034D000-memory.dmp UPX behavioral1/memory/2444-33-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/1516-37-0x0000000000400000-0x000000000042D000-memory.dmp UPX \Users\Admin\AppData\Roaming\omsecor.exe UPX behavioral1/memory/1516-45-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/1872-47-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/1872-49-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/1872-52-0x0000000000400000-0x000000000042D000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2444 omsecor.exe 1516 omsecor.exe 1872 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exeomsecor.exeomsecor.exepid process 1708 03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe 1708 03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe 2444 omsecor.exe 2444 omsecor.exe 1516 omsecor.exe 1516 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/1708-0-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1708-4-0x00000000002A0000-0x00000000002CD000-memory.dmp upx behavioral1/memory/1708-10-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2444-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2444-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2444-17-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2444-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2444-23-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2444-26-0x0000000000320000-0x000000000034D000-memory.dmp upx behavioral1/memory/2444-33-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1516-37-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1516-45-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1872-47-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1872-49-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1872-52-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exeomsecor.exeomsecor.exedescription pid process target process PID 1708 wrote to memory of 2444 1708 03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe omsecor.exe PID 1708 wrote to memory of 2444 1708 03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe omsecor.exe PID 1708 wrote to memory of 2444 1708 03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe omsecor.exe PID 1708 wrote to memory of 2444 1708 03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe omsecor.exe PID 2444 wrote to memory of 1516 2444 omsecor.exe omsecor.exe PID 2444 wrote to memory of 1516 2444 omsecor.exe omsecor.exe PID 2444 wrote to memory of 1516 2444 omsecor.exe omsecor.exe PID 2444 wrote to memory of 1516 2444 omsecor.exe omsecor.exe PID 1516 wrote to memory of 1872 1516 omsecor.exe omsecor.exe PID 1516 wrote to memory of 1872 1516 omsecor.exe omsecor.exe PID 1516 wrote to memory of 1872 1516 omsecor.exe omsecor.exe PID 1516 wrote to memory of 1872 1516 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe"C:\Users\Admin\AppData\Local\Temp\03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1872
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD50b8337b47be228f5d9a0c04845729262
SHA1d7046b7363126715d7b28b450af9c9025d813417
SHA256444a7ea04a6e7e3f6f190c936605194e52d9f5c6421ce86327916beb7da8ae8f
SHA5128bb1fb752dd5375afc8ed3162fe632e7b9d8bcf8949de621844528e3606887ab186d3c2827090675df1bd75d9c0537a4df3529343ce576d4397c74c5a1dd8b6e
-
Filesize
35KB
MD5f42c19e70c2bf60a3165feac22c205e8
SHA11285e0191642799eee96b905a9118946b22be516
SHA256b849be64b6ec58db3a44d3246508bd00b0b2dd3f6a52f3600bccaedb86c96a56
SHA51221a8e60e3af24a0ef45923f22a514ff5c1945414ed85a67943c587de6fe071eeceaee18b80474aacb11dac4fd286489e575e8706485f1ad3f3cfc56bc37a7943
-
Filesize
35KB
MD55678eb9d4df15d70c465362dbed79900
SHA14c344180092267fdb80e497c23b1fb3a84a1eb55
SHA256532f1e4960cb10c32058615e944050be9423cb2babc9d56c02a47851d56a4c13
SHA512d2a301e9542fd5773191755656a8de790552b2e727d1ea87a227d8861ef7dae6b7e018c281703943f15237c448d3c4f2facd5db44f42e4c576a7948fcba296ed