Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 00:03
Behavioral task
behavioral1
Sample
87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe
Resource
win7-20240215-en
General
-
Target
87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe
-
Size
35KB
-
MD5
7f1787e4427443cfa6fcd609b67b800d
-
SHA1
dd6c5579695e4c0450cc1c62dbf6bce6155cd6ff
-
SHA256
87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6
-
SHA512
0fb7f9377bce305f79a9d8d4d33f4623f9c2fb0d779f6c4ba935bc0dc485009e2800a27870ecbdaefa8426466b2d385132e71fbe0b18f2a8bb2268905cbb610a
-
SSDEEP
768:h6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:s8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
UPX dump on OEP (original entry point) 16 IoCs
Processes:
resource yara_rule behavioral2/memory/4316-0-0x0000000000400000-0x000000000042D000-memory.dmp UPX C:\Users\Admin\AppData\Roaming\omsecor.exe UPX behavioral2/memory/3808-7-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/4316-6-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/3808-8-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/3808-11-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/3808-14-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/3808-15-0x0000000000400000-0x000000000042D000-memory.dmp UPX C:\Windows\SysWOW64\omsecor.exe UPX behavioral2/memory/3808-21-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/4384-22-0x0000000000400000-0x000000000042D000-memory.dmp UPX C:\Users\Admin\AppData\Roaming\omsecor.exe UPX behavioral2/memory/4384-27-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1724-29-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1724-30-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1724-33-0x0000000000400000-0x000000000042D000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3808 omsecor.exe 4384 omsecor.exe 1724 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/4316-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/3808-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4316-6-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3808-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3808-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3808-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3808-15-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/3808-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4384-22-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4384-27-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1724-29-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1724-30-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1724-33-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exeomsecor.exeomsecor.exedescription pid process target process PID 4316 wrote to memory of 3808 4316 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe omsecor.exe PID 4316 wrote to memory of 3808 4316 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe omsecor.exe PID 4316 wrote to memory of 3808 4316 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe omsecor.exe PID 3808 wrote to memory of 4384 3808 omsecor.exe omsecor.exe PID 3808 wrote to memory of 4384 3808 omsecor.exe omsecor.exe PID 3808 wrote to memory of 4384 3808 omsecor.exe omsecor.exe PID 4384 wrote to memory of 1724 4384 omsecor.exe omsecor.exe PID 4384 wrote to memory of 1724 4384 omsecor.exe omsecor.exe PID 4384 wrote to memory of 1724 4384 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe"C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1724
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5831d9ca29159832cab9f6dd76d8d9311
SHA1b186685faeab497d207a8d1f5184792983567931
SHA2566a6156c9bf9cf6a332433afa88227f177ad59befb66d42e7a555c35f9e3f7f21
SHA512ccc92c33d1ab5883ee80bece5c4404fc641461f2d1ad11c69379da1f3051dfcfc6127e166cccc252652e9b3e5cf9cf79943dfa69c7efa088baa6f515839af939
-
Filesize
35KB
MD5994deb1e81d799d4d47c915803740300
SHA172dee79fe9a89e98f6ba141c17008c654fa12321
SHA256c395622a595e063f3696dcd54738364062064264ab16b6eaa1261499f9b54b7f
SHA512c605f6d76697620371f9c15a4f91c3ef0ee34446ef9339d20600693877b67cce6bc8f297046ff6dae5a93a7e73e0d2303090e9a5a97d8769b6704f79af602b66
-
Filesize
35KB
MD57802f461b13e4a9a64fe759119a849f9
SHA1053b0ece5e949c4ddd957d760d1ab89976c48374
SHA256435f19707305aa62060fed394359dfcbabd70e8b356b1da79b9f73cf6c72f263
SHA512c12b75aae6949f706824fc0ad0304f2fb16e7cfffc4a67d1cc717015f7c2f4839af82151731f5d682aaef3c364467b4b335701cf948032f4ad525a64c46771a1