Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 20:48
Behavioral task
behavioral1
Sample
3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe
Resource
win7-20240419-en
General
-
Target
3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe
-
Size
84KB
-
MD5
756384dff6e690c32681a2439a718d8c
-
SHA1
6c9e4c6381e24572d506991cd3b22e6ca3102c94
-
SHA256
3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d
-
SHA512
5f7c1e01eebe65d1a87430af919175d818fc1f1b87d52fa4814be8ab9c201a719243aa160606aca3d8728e1949164c08d824929501306b345fb3d3389515c843
-
SSDEEP
768:zMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:zbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 224 omsecor.exe 552 omsecor.exe 1732 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exeomsecor.exeomsecor.exedescription pid process target process PID 4928 wrote to memory of 224 4928 3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe omsecor.exe PID 4928 wrote to memory of 224 4928 3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe omsecor.exe PID 4928 wrote to memory of 224 4928 3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe omsecor.exe PID 224 wrote to memory of 552 224 omsecor.exe omsecor.exe PID 224 wrote to memory of 552 224 omsecor.exe omsecor.exe PID 224 wrote to memory of 552 224 omsecor.exe omsecor.exe PID 552 wrote to memory of 1732 552 omsecor.exe omsecor.exe PID 552 wrote to memory of 1732 552 omsecor.exe omsecor.exe PID 552 wrote to memory of 1732 552 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe"C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1732
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD5176dd97dfc3f6d3d02c2113447701433
SHA1dc69ae9eed6b0431f2a33cd83e5c9bbc2c373c9e
SHA2561a64dbf0384ddacc72a9392d12e86506e32c2f1890d0f339de50acc05c6d1917
SHA51285513e63af42d9e7d914fd33fbcc0df689454566276f947676245dea216d7187c70de3f004c3a7cb4d083240be331cc12797347c56bb7494691bc6f8f54f55fc
-
Filesize
84KB
MD5db6ff8d832660f61d66a6f5a22fd9830
SHA188594363b258506bc228e2d6dc7b95e1173a16c0
SHA256bb927993eae2d22117651936ded9f7f7a00d964ba42acf8975af8fdfb831c8a5
SHA512638baf7fd32a6c8021046e0161edd82aa836fc2056e431b76917d09676a4982f2eab18eccf57242a7fe535f7447c293e7af5abe068a5621c177b277956cd1bb6
-
Filesize
84KB
MD576e19677010c78c57b3c9af916180646
SHA1135b4c686bd44bc8d73d9ee6a53184e2a5db2815
SHA256318738b94698f899aa3ceda10badf411216d39cbb4ca46253f0ad902f8b2f6d3
SHA5126daf1917fb27cce4d6b4bad554163a5370e8ce31965fe714012b13a2013596cbc8fe23bc0d97c5eeab6c8b793a2b55d80052a00b9beb75b21f1f53664092f432