Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 18:15
Behavioral task
behavioral1
Sample
03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe
Resource
win7-20240508-en
General
-
Target
03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe
-
Size
35KB
-
MD5
3f18b1f77502bb5435240e0fcb88e7d7
-
SHA1
350c92fe0c3912118364e011d50fafa6bb0e2ebd
-
SHA256
03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820
-
SHA512
2ac839c697abadd5c50f9bd9a1b28229449e7068ec97f544f600a00cd97316e3640a19fceeabfd64937d8744c62f8aabe449cf9a5250eec2edb946a6384ab23b
-
SSDEEP
768:r6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:W8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
UPX dump on OEP (original entry point) 15 IoCs
Processes:
resource yara_rule behavioral2/memory/3724-0-0x0000000000400000-0x000000000042D000-memory.dmp UPX C:\Users\Admin\AppData\Roaming\omsecor.exe UPX behavioral2/memory/3724-5-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1284-7-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1284-8-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1284-14-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1284-15-0x0000000000400000-0x000000000042D000-memory.dmp UPX C:\Windows\SysWOW64\omsecor.exe UPX behavioral2/memory/1284-20-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/4508-21-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/4508-26-0x0000000000400000-0x000000000042D000-memory.dmp UPX C:\Users\Admin\AppData\Roaming\omsecor.exe UPX behavioral2/memory/3164-28-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/3164-29-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/3164-32-0x0000000000400000-0x000000000042D000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1284 omsecor.exe 4508 omsecor.exe 3164 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/3724-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/3724-5-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1284-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1284-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1284-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1284-15-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/1284-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4508-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4508-26-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/3164-28-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3164-29-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3164-32-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exeomsecor.exeomsecor.exedescription pid process target process PID 3724 wrote to memory of 1284 3724 03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe omsecor.exe PID 3724 wrote to memory of 1284 3724 03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe omsecor.exe PID 3724 wrote to memory of 1284 3724 03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe omsecor.exe PID 1284 wrote to memory of 4508 1284 omsecor.exe omsecor.exe PID 1284 wrote to memory of 4508 1284 omsecor.exe omsecor.exe PID 1284 wrote to memory of 4508 1284 omsecor.exe omsecor.exe PID 4508 wrote to memory of 3164 4508 omsecor.exe omsecor.exe PID 4508 wrote to memory of 3164 4508 omsecor.exe omsecor.exe PID 4508 wrote to memory of 3164 4508 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe"C:\Users\Admin\AppData\Local\Temp\03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3164
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD51a1e5cee38301e50d75aaf8a06f59446
SHA1d57fa8331f4b400cd9f353cfd3d17fb79a8749e5
SHA256df203312a86c68973ad88d1b4ebc95ceed679bfe50b0c53fc80f9748cec13063
SHA512a62e84cfa465eca926949434cd4b3c69e5986e7bf77ea5f4ed507a0a95302e3b3e748ab9a8d342405287a5c7ec25e02b33b150fa0a4ce25039e5fa1b59f4fe14
-
Filesize
35KB
MD50b8337b47be228f5d9a0c04845729262
SHA1d7046b7363126715d7b28b450af9c9025d813417
SHA256444a7ea04a6e7e3f6f190c936605194e52d9f5c6421ce86327916beb7da8ae8f
SHA5128bb1fb752dd5375afc8ed3162fe632e7b9d8bcf8949de621844528e3606887ab186d3c2827090675df1bd75d9c0537a4df3529343ce576d4397c74c5a1dd8b6e
-
Filesize
35KB
MD5981c84739f904bb3cd1e98a07e2ff25c
SHA14f72607174260881af5697b390b3f54eb0ef6e6b
SHA2561cc6b5ab9edf60366ff2bbf8a8e032b6a335f6970a26698bae34bf9145fb7065
SHA512ff3701fc72da220d33cca337fa83a0c67b08ff626ea9c47020f5eddf1052dfd83327d771985e271a55bc63c17ec5745d871fbd44a94a576ca9bd753d8daed161