Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 03:12
Behavioral task
behavioral1
Sample
d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe
Resource
win7-20240419-en
General
-
Target
d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe
-
Size
62KB
-
MD5
2dc22d980de05b688bf73cdfbd82ac35
-
SHA1
795fab98c90da6ed2984cf2fc636d54f2a143ef7
-
SHA256
d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0
-
SHA512
64a89d9a22c7f1b55cf1933010dc234048624f196eaedc83f3934653afef105f6fc15dd4dc028f75a3387bf083f17cb6b729b0d05a3f2d6209c6fbbab951e336
-
SSDEEP
768:vMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:vbIvYvZEyFKF6N4yS+AQmZtl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2064 omsecor.exe 4160 omsecor.exe 1040 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exeomsecor.exeomsecor.exedescription pid process target process PID 1508 wrote to memory of 2064 1508 d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe omsecor.exe PID 1508 wrote to memory of 2064 1508 d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe omsecor.exe PID 1508 wrote to memory of 2064 1508 d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe omsecor.exe PID 2064 wrote to memory of 4160 2064 omsecor.exe omsecor.exe PID 2064 wrote to memory of 4160 2064 omsecor.exe omsecor.exe PID 2064 wrote to memory of 4160 2064 omsecor.exe omsecor.exe PID 4160 wrote to memory of 1040 4160 omsecor.exe omsecor.exe PID 4160 wrote to memory of 1040 4160 omsecor.exe omsecor.exe PID 4160 wrote to memory of 1040 4160 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe"C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1040
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD58f7c324a3012bb93a9a23114827de172
SHA1ba6279f58dd60b83b0a639108449e6d1e45c24c6
SHA2569fbdc5a346bb124a5bb0a15eb02b9b6afb3d75b4710f9047d39f4e30319e11a2
SHA512aeacfa1a4040f3ef408bdede4648ff9846412fe74f499824262474da6c210e1ef1f34e97c09d44617a6c6d4cae7edbf948d0532d88ced6aec6b4926c5a71fe80
-
Filesize
62KB
MD5ad112a7823e24e6b70a6a425bd8545e9
SHA1e13ae8a94a2e01f2051bf78d72a627eb513d1032
SHA256650acbbc5a72fe3bbfe1cb96ed6617c34cfe7422c7d16c267a8ac3b67e39530d
SHA51208534dde254180a13072311c2f2e815bb162c2bbe7efc99f55a421ae03d9751f57063114c8d27af41bf3a50f0703c9711dee02323ed6be04f30f28fca353b3e3
-
Filesize
62KB
MD5009f799a9c64f5ff90fd2864752dc265
SHA11fa49c9862a4d45fe7c7b5f456f7c922b6e773b1
SHA2562cf46169accaf86c71a8d160eefab092962212e55b34d160e8b93b46a0084a09
SHA51256e564d37245a499eb58cf7c9f5e6f02a30b43bd2cb32ee19de21a75424f147a66894507b6e624edcc991042379a2c37ccc2256884d1dd0fb5eae82bd667b362