Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 02:59
Behavioral task
behavioral1
Sample
cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe
Resource
win7-20231129-en
General
-
Target
cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe
-
Size
92KB
-
MD5
a8b1ada55fa84ab373638e59a7cbaaa9
-
SHA1
ff5ec3aae893f55553f0ea26c290cf07ec29d7b5
-
SHA256
cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43
-
SHA512
f29ce5b8bb4a7f4354ca4ec4f7d6d6ed66283e4dcfbc850c59235c272b05adca18ee14eed8a51c1a06f82d9ff60bf4139d29c8eb319c14ddcbd500b95c51395d
-
SSDEEP
1536:1d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:9dseIOyEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2208 omsecor.exe 952 omsecor.exe 1988 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exeomsecor.exeomsecor.exepid process 2200 cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe 2200 cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe 2208 omsecor.exe 2208 omsecor.exe 952 omsecor.exe 952 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exeomsecor.exeomsecor.exedescription pid process target process PID 2200 wrote to memory of 2208 2200 cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe omsecor.exe PID 2200 wrote to memory of 2208 2200 cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe omsecor.exe PID 2200 wrote to memory of 2208 2200 cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe omsecor.exe PID 2200 wrote to memory of 2208 2200 cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe omsecor.exe PID 2208 wrote to memory of 952 2208 omsecor.exe omsecor.exe PID 2208 wrote to memory of 952 2208 omsecor.exe omsecor.exe PID 2208 wrote to memory of 952 2208 omsecor.exe omsecor.exe PID 2208 wrote to memory of 952 2208 omsecor.exe omsecor.exe PID 952 wrote to memory of 1988 952 omsecor.exe omsecor.exe PID 952 wrote to memory of 1988 952 omsecor.exe omsecor.exe PID 952 wrote to memory of 1988 952 omsecor.exe omsecor.exe PID 952 wrote to memory of 1988 952 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1988
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD530bbb6b75769c5bb0bcf764906690d9b
SHA14f1f2cc020dddc6d0108812624022e8e53dc65a6
SHA2564f6464c1bd11617b3a72b98ea2c8762866c5b3da6fd037ac51eeacf95b8d58d7
SHA512f87b322bebab41e6750efab17f662ed7771f6df9ddc93d681278e8c58844540c78ed302be6bf0f3f374e7bbfad16d5a851dfd448de1eeb5556776027ad6b43c1
-
Filesize
92KB
MD5ebee397ed13d5f0e150b2b7381fc19c5
SHA1267a31e483814c9b8e6ded1ffa83ce7a042e823b
SHA256720ee33903dd414996bf5506b000eaf172240858a468d756019b0279183f73b8
SHA512fe8368078a49f9518d37e4851ccc2c1cdf3a7a4082b8fd46bb38d0260b5e2e550b2bf0732ee7383873738d782e7098c3b043b522e3f0666f9d734260822eab98
-
Filesize
92KB
MD53e43fd008ae33d75c2873ecb885f7602
SHA132fe077bf9bbbe18a7b8ba31db1acdc8f7ba758e
SHA256df00b466e41187945aec62289b655c6f01f1e849624869e74dcde55f25c9f558
SHA512fa2858bd5c7ad8a56511db322198946124537996e20de62e1a9314fe4942e6f7c5579a210ed637a8b802abb54bcb16008505e06edfd9cf3071d92e875157c3bd