Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 02:59
Behavioral task
behavioral1
Sample
cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe
Resource
win7-20231129-en
General
-
Target
cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe
-
Size
92KB
-
MD5
a8b1ada55fa84ab373638e59a7cbaaa9
-
SHA1
ff5ec3aae893f55553f0ea26c290cf07ec29d7b5
-
SHA256
cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43
-
SHA512
f29ce5b8bb4a7f4354ca4ec4f7d6d6ed66283e4dcfbc850c59235c272b05adca18ee14eed8a51c1a06f82d9ff60bf4139d29c8eb319c14ddcbd500b95c51395d
-
SSDEEP
1536:1d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:9dseIOyEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4684 omsecor.exe 4384 omsecor.exe 216 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exeomsecor.exeomsecor.exedescription pid process target process PID 2660 wrote to memory of 4684 2660 cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe omsecor.exe PID 2660 wrote to memory of 4684 2660 cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe omsecor.exe PID 2660 wrote to memory of 4684 2660 cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe omsecor.exe PID 4684 wrote to memory of 4384 4684 omsecor.exe omsecor.exe PID 4684 wrote to memory of 4384 4684 omsecor.exe omsecor.exe PID 4684 wrote to memory of 4384 4684 omsecor.exe omsecor.exe PID 4384 wrote to memory of 216 4384 omsecor.exe omsecor.exe PID 4384 wrote to memory of 216 4384 omsecor.exe omsecor.exe PID 4384 wrote to memory of 216 4384 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:216
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5ff0a69a7db828df49bce7dcc139af561
SHA1fa228fb63e66d1f786ff76ae7b7e502b1bea4e3d
SHA256f04b2aa2512580bbe0bce86589f4f4f83504c75dfbbfa96a1d3570313c248704
SHA512026d412dd9470b2f41ecd195a0b4ee2b9802ecd157b37311fcd6f3842e2b58c8e1e25ade824646b44f83cc5ed3eba862ef653200c879b1445d1349674dbb602a
-
Filesize
92KB
MD530bbb6b75769c5bb0bcf764906690d9b
SHA14f1f2cc020dddc6d0108812624022e8e53dc65a6
SHA2564f6464c1bd11617b3a72b98ea2c8762866c5b3da6fd037ac51eeacf95b8d58d7
SHA512f87b322bebab41e6750efab17f662ed7771f6df9ddc93d681278e8c58844540c78ed302be6bf0f3f374e7bbfad16d5a851dfd448de1eeb5556776027ad6b43c1
-
Filesize
92KB
MD5683c3665ae04e6c26c007d8238c0c8f4
SHA1bb8f11f72de28c6eb5c05651f0691553d2c82d86
SHA256f181c6913d75f4ea36abf33c2d50cbc74f37e6c72112df485184d0a210218e74
SHA512c8fff0cd0343069fc6dad56921884013604f631bffaff278091cbfcce781f8ff581386aa10eba853a3a94820a94e84e8cd0f35a8c1030695fa2e70c62f2dd8bb