Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 19:02
Behavioral task
behavioral1
Sample
16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe
Resource
win7-20240508-en
General
-
Target
16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe
-
Size
92KB
-
MD5
d778c5f619c010fb474b77763cd5e2a4
-
SHA1
15fc99ce1104d3e522a14b1e670fb79e64f4a32c
-
SHA256
16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd
-
SHA512
aeca53c4e3f361c90b119ffd0a44d6d491fd72e2865358131edea6a86a185ae2a6f0d470d6351768d71fe1d5e842828a129c174f4d2b191810d198ff07b23205
-
SSDEEP
1536:pd9dseIOcEE3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:pdseIO/EZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 1528 omsecor.exe 2344 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exeomsecor.exedescription pid process target process PID 1688 wrote to memory of 1528 1688 16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe omsecor.exe PID 1688 wrote to memory of 1528 1688 16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe omsecor.exe PID 1688 wrote to memory of 1528 1688 16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe omsecor.exe PID 1528 wrote to memory of 2344 1528 omsecor.exe omsecor.exe PID 1528 wrote to memory of 2344 1528 omsecor.exe omsecor.exe PID 1528 wrote to memory of 2344 1528 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe"C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5ddbaeb99c7021758c48b682e11b598af
SHA1533ca988026b16b6317e31cd2c5f763ee5d52259
SHA256d53287ccca304154bca58948dfa803304359531f552ff15c02923e63a12acc74
SHA5120a2e0194f6584471c3dca67cb7eb6b90564e375e623dc6d90e450dde43b8a96d747424c4706ddf079401aa66a3809e9f92c43cf72295a12568f07d8ca818a8c4
-
Filesize
92KB
MD5a34345b5f45a6888424bddc3dd4762fb
SHA10b6ac8ee6a826e41cfc1b249bae76d7670a0b22f
SHA256ea0142b84cb0fb339196b37be2c51b9c770391eca2e8a754abc33c3ab8037a1f
SHA5125ed7f0fd1afb5e60b27b4233ab389bcac3115a28abfd776693d53b83d8c5babdc213db72bd2be3aef7685daed67997ed2a429205c66054634a7bd2ba167d52b0