Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 00:03
Behavioral task
behavioral1
Sample
87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe
Resource
win7-20240215-en
General
-
Target
87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe
-
Size
35KB
-
MD5
7f1787e4427443cfa6fcd609b67b800d
-
SHA1
dd6c5579695e4c0450cc1c62dbf6bce6155cd6ff
-
SHA256
87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6
-
SHA512
0fb7f9377bce305f79a9d8d4d33f4623f9c2fb0d779f6c4ba935bc0dc485009e2800a27870ecbdaefa8426466b2d385132e71fbe0b18f2a8bb2268905cbb610a
-
SSDEEP
768:h6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:s8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
UPX dump on OEP (original entry point) 18 IoCs
Processes:
resource yara_rule behavioral1/memory/2488-0-0x0000000000400000-0x000000000042D000-memory.dmp UPX \Users\Admin\AppData\Roaming\omsecor.exe UPX behavioral1/memory/2488-4-0x0000000000220000-0x000000000024D000-memory.dmp UPX behavioral1/memory/2488-10-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2728-13-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2728-14-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2728-17-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2728-20-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2728-23-0x0000000000400000-0x000000000042D000-memory.dmp UPX \Windows\SysWOW64\omsecor.exe UPX behavioral1/memory/2728-27-0x0000000000310000-0x000000000033D000-memory.dmp UPX behavioral1/memory/2728-33-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/1728-35-0x0000000000400000-0x000000000042D000-memory.dmp UPX C:\Users\Admin\AppData\Roaming\omsecor.exe UPX behavioral1/memory/1728-45-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/1580-47-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/1580-49-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/1580-52-0x0000000000400000-0x000000000042D000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2728 omsecor.exe 1728 omsecor.exe 1580 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exeomsecor.exeomsecor.exepid process 2488 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe 2488 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe 2728 omsecor.exe 2728 omsecor.exe 1728 omsecor.exe 1728 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2488-0-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2488-4-0x0000000000220000-0x000000000024D000-memory.dmp upx behavioral1/memory/2488-10-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2728-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2728-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2728-17-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2728-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2728-23-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2728-27-0x0000000000310000-0x000000000033D000-memory.dmp upx behavioral1/memory/2728-33-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1728-35-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1728-45-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1580-47-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1580-49-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1580-52-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exeomsecor.exeomsecor.exedescription pid process target process PID 2488 wrote to memory of 2728 2488 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe omsecor.exe PID 2488 wrote to memory of 2728 2488 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe omsecor.exe PID 2488 wrote to memory of 2728 2488 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe omsecor.exe PID 2488 wrote to memory of 2728 2488 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe omsecor.exe PID 2728 wrote to memory of 1728 2728 omsecor.exe omsecor.exe PID 2728 wrote to memory of 1728 2728 omsecor.exe omsecor.exe PID 2728 wrote to memory of 1728 2728 omsecor.exe omsecor.exe PID 2728 wrote to memory of 1728 2728 omsecor.exe omsecor.exe PID 1728 wrote to memory of 1580 1728 omsecor.exe omsecor.exe PID 1728 wrote to memory of 1580 1728 omsecor.exe omsecor.exe PID 1728 wrote to memory of 1580 1728 omsecor.exe omsecor.exe PID 1728 wrote to memory of 1580 1728 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe"C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1580
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD535bf30b23ed496266a5553f8e3544cff
SHA11a02bc60a5f3ecec9bf16a9b73395c7166cad6e2
SHA256717073bca80a355538098594d999a59d97d128396785b180bef0ae0fc83c0850
SHA5120b96dd8e5be31a10625b54886bbc8d70e13233e3d30133daa80d023c48a1e8e8c4335b586eddda90dfd627e48091fdf81a769d304814fdc2af9f03dc9797c6a4
-
Filesize
35KB
MD5994deb1e81d799d4d47c915803740300
SHA172dee79fe9a89e98f6ba141c17008c654fa12321
SHA256c395622a595e063f3696dcd54738364062064264ab16b6eaa1261499f9b54b7f
SHA512c605f6d76697620371f9c15a4f91c3ef0ee34446ef9339d20600693877b67cce6bc8f297046ff6dae5a93a7e73e0d2303090e9a5a97d8769b6704f79af602b66
-
Filesize
35KB
MD5511bef9fd51d7dc999d07bb064e80462
SHA1e5f690f24a6b9271d2d418b8be8e4376bd2f977d
SHA25678cddb52f8b4e5f000d31526f6c5ce5fae47a9ba6a5d5cf11f5c4bd917448d5a
SHA5124d2e0e5053dd4ef51b1aa48531394b940d8be5c4966e9ff5284a6e459fbaf089866e689e6ffc3d56b7f8f33066ddc04219afee22b2261b9581c43692e04edaa8