Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 01:51
Behavioral task
behavioral1
Sample
b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe
Resource
win7-20240508-en
General
-
Target
b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe
-
Size
76KB
-
MD5
a31f5588941539c4e5a2baa4764af7f3
-
SHA1
fe836b26ca19e19909547d6e209bfda9d51e403c
-
SHA256
b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4
-
SHA512
a1ebb762819dcb1fc321ae87a304170b20ef13fc58bd8c951f3f87fd548766e799a27c933b038730d516b10a93aff0f2d112170f4b3e35cfde7dfc95e2dd7362
-
SSDEEP
768:5MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:5bIvYvZEyFKF6N4yS+AQmZTl/5O
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2300 omsecor.exe 3180 omsecor.exe 1432 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exeomsecor.exeomsecor.exedescription pid process target process PID 4016 wrote to memory of 2300 4016 b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe omsecor.exe PID 4016 wrote to memory of 2300 4016 b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe omsecor.exe PID 4016 wrote to memory of 2300 4016 b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe omsecor.exe PID 2300 wrote to memory of 3180 2300 omsecor.exe omsecor.exe PID 2300 wrote to memory of 3180 2300 omsecor.exe omsecor.exe PID 2300 wrote to memory of 3180 2300 omsecor.exe omsecor.exe PID 3180 wrote to memory of 1432 3180 omsecor.exe omsecor.exe PID 3180 wrote to memory of 1432 3180 omsecor.exe omsecor.exe PID 3180 wrote to memory of 1432 3180 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe"C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1432
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD510b4cf97cac1f873a03edfac30dd7a99
SHA1784c4538083b7c02e2e67eb0554382ecfcdc2e8a
SHA256a6ff69d31dfa781268ab16b1ccd5594c8426711eab50712ef8af269256ac1db7
SHA512d24ad22cd8a9ca43cf971ebd296c7e3f62e467e50a7a957818c1e40adcfb7fbbed34ed52638878143c837c8282c7603d27a09cec74ef97c4a27a0193ca598b04
-
Filesize
76KB
MD5495f99da6f9325c15747e701f6a5acc0
SHA1347efe456007d950712cd40022d5c5f62077b0eb
SHA2569c1864811146f9dc145ab0a67b59d23dd61422b25d1321e14516cd13025a76e0
SHA5127f739ca8a988849a900dc4743426814088cc6287f46484ad3297ff9b4b80e0430caff4c32f8406f8cf2bab8f180a923b0ee51ba1f19bb55983d2d55b0f4f36c2
-
Filesize
76KB
MD54368eba2d3a8362da347724e2600b29c
SHA1c01e7d3a404aa1746808b9c001958ce7cfb51b6d
SHA256293f7694b1b0fe646c0145ea38e40c9a130b8d89037c269507ecf0fc0ab1d49c
SHA51294fbd9f91e2114b2888c0c528444d3f47c65166e51fd595e7df95723862e9b31186d7891a40026b5e6adcc212c37de06bae6be2817c7f1cbb7c76e468c4dc120