Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 19:02
Behavioral task
behavioral1
Sample
16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe
Resource
win7-20240508-en
General
-
Target
16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe
-
Size
92KB
-
MD5
d778c5f619c010fb474b77763cd5e2a4
-
SHA1
15fc99ce1104d3e522a14b1e670fb79e64f4a32c
-
SHA256
16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd
-
SHA512
aeca53c4e3f361c90b119ffd0a44d6d491fd72e2865358131edea6a86a185ae2a6f0d470d6351768d71fe1d5e842828a129c174f4d2b191810d198ff07b23205
-
SSDEEP
1536:pd9dseIOcEE3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:pdseIO/EZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2092 omsecor.exe 2964 omsecor.exe 2368 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exeomsecor.exeomsecor.exepid process 1936 16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe 1936 16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe 2092 omsecor.exe 2092 omsecor.exe 2964 omsecor.exe 2964 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exeomsecor.exeomsecor.exedescription pid process target process PID 1936 wrote to memory of 2092 1936 16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe omsecor.exe PID 1936 wrote to memory of 2092 1936 16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe omsecor.exe PID 1936 wrote to memory of 2092 1936 16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe omsecor.exe PID 1936 wrote to memory of 2092 1936 16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe omsecor.exe PID 2092 wrote to memory of 2964 2092 omsecor.exe omsecor.exe PID 2092 wrote to memory of 2964 2092 omsecor.exe omsecor.exe PID 2092 wrote to memory of 2964 2092 omsecor.exe omsecor.exe PID 2092 wrote to memory of 2964 2092 omsecor.exe omsecor.exe PID 2964 wrote to memory of 2368 2964 omsecor.exe omsecor.exe PID 2964 wrote to memory of 2368 2964 omsecor.exe omsecor.exe PID 2964 wrote to memory of 2368 2964 omsecor.exe omsecor.exe PID 2964 wrote to memory of 2368 2964 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe"C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2368
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5ddbaeb99c7021758c48b682e11b598af
SHA1533ca988026b16b6317e31cd2c5f763ee5d52259
SHA256d53287ccca304154bca58948dfa803304359531f552ff15c02923e63a12acc74
SHA5120a2e0194f6584471c3dca67cb7eb6b90564e375e623dc6d90e450dde43b8a96d747424c4706ddf079401aa66a3809e9f92c43cf72295a12568f07d8ca818a8c4
-
Filesize
92KB
MD5c9cb798465e20aba072d6dfb7387104f
SHA1a0fab0477695fc2e9caa6302e33144f3aed1216e
SHA2564c24877ef306b934e93af990132554947ca6548718bd32b84ee59a29d4baf6fa
SHA512dd013b345750d492aa4d4b4233bb3dd55c52f923aadf70440784736fa87876bef72e219dc22a9dd8be77ced2d4dc6bb82709ead8ab714797e4c51bbae9aa7854
-
Filesize
92KB
MD585971e20f54074fd519712b62ba889c4
SHA1f143d1e8d73dc3614348bef24bacd1d5f3312b8e
SHA256502c94c742faed269d83fd0091ab1aaf81de3a99afcaafb4391a0861b88fbdaa
SHA51208153da7d1d5a442355863a8e9cfffc22b4beb953b7f48d675b2269c34bd24cd72c224e298c1df73bb2488fdb4f63354f2c03364abd3333930a3262374a6f12c