Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 19:23
Behavioral task
behavioral1
Sample
1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe
Resource
win7-20240221-en
General
-
Target
1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe
-
Size
64KB
-
MD5
3ccb069e205cf460a84fe7698078876e
-
SHA1
57b6900a1bec2e0b7c0294b57236854ebc1ddfc6
-
SHA256
1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b
-
SHA512
3a7083b5b293cdd5f2e33487b54894345acf9b945eaa227138d9fad5afdd8772680fec6a4091f3bc08831eb743f628d92ba2ca04e3c10f1c4ee41886ac8bcf87
-
SSDEEP
768:QMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:QbIvYvZEyFKF6N4yS+AQmZcl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4072 omsecor.exe 3040 omsecor.exe 748 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exeomsecor.exeomsecor.exedescription pid process target process PID 2644 wrote to memory of 4072 2644 1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe omsecor.exe PID 2644 wrote to memory of 4072 2644 1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe omsecor.exe PID 2644 wrote to memory of 4072 2644 1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe omsecor.exe PID 4072 wrote to memory of 3040 4072 omsecor.exe omsecor.exe PID 4072 wrote to memory of 3040 4072 omsecor.exe omsecor.exe PID 4072 wrote to memory of 3040 4072 omsecor.exe omsecor.exe PID 3040 wrote to memory of 748 3040 omsecor.exe omsecor.exe PID 3040 wrote to memory of 748 3040 omsecor.exe omsecor.exe PID 3040 wrote to memory of 748 3040 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe"C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:748
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5f0b182a50c71faf153fa19121ee7c3e1
SHA1fb4b07b8fc1feca4360f571abeb380553c7a141d
SHA256e52e12071ffc37f9c134a4b8de43122f57621db344ba7c04dd60975110c4e647
SHA5124cf9020f3eedbc54282f35ff4e30c73ad8194d776a52b28a1ea019b551c845ceaed5fa34b802f4ef6b2933d315fd35701f7479ea2c3ce2cd73730c29fd17d7bd
-
Filesize
64KB
MD5310d9a10351692f0e7c4a9b904813146
SHA127b813a9eee71d69366abe8f2a1db700742310e3
SHA25629b04df61232f68789882af67f0467133ac23128b117d77197f832579fea2ca5
SHA512eef492b73f4353662b4a1ecf276463ee27bce1b16bdb35209f8d09180734d65d4bc6e05dcc923c40db748384f1672111e07218be5dfcd232246f557936365780
-
Filesize
64KB
MD5daf50a5f047b682a4c7b9af1df4a25d8
SHA10a4d80073efaff5052bbd6ae1fcd2a77e9ae395e
SHA2564b05d90e4565a5e74e4f34785f905fb0a783a9490f265a19faf2e28da11de5f5
SHA512691ee912113c8df2d36ef951430a69bbdfa8bb8238f0782977522098e04c17a7f7372cf4b49d2834347bb108bcc85e5dcdca4ccba1fae0284a812fd08402355c