Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 04:39
Behavioral task
behavioral1
Sample
f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe
Resource
win7-20240221-en
General
-
Target
f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe
-
Size
62KB
-
MD5
3f4026511c6890875837a13675b7278a
-
SHA1
e84c8733260773cc688b68ad4d0d2812c4904287
-
SHA256
f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6
-
SHA512
80690676583813b52e7974ab1ddd64a596b87990dcafbd14fee520d481dee44d27c509929ff26a5d721e2272e38bc22789da3b57be1c556ed3f509e6823dd784
-
SSDEEP
768:eMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:ebIvYvZEyFKF6N4yS+AQmZtl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 5780 omsecor.exe 5572 omsecor.exe 1396 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exeomsecor.exeomsecor.exedescription pid process target process PID 3500 wrote to memory of 5780 3500 f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe omsecor.exe PID 3500 wrote to memory of 5780 3500 f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe omsecor.exe PID 3500 wrote to memory of 5780 3500 f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe omsecor.exe PID 5780 wrote to memory of 5572 5780 omsecor.exe omsecor.exe PID 5780 wrote to memory of 5572 5780 omsecor.exe omsecor.exe PID 5780 wrote to memory of 5572 5780 omsecor.exe omsecor.exe PID 5572 wrote to memory of 1396 5572 omsecor.exe omsecor.exe PID 5572 wrote to memory of 1396 5572 omsecor.exe omsecor.exe PID 5572 wrote to memory of 1396 5572 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe"C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5780 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5572 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1396
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD594a28e45affa6f1759751b08caa3a399
SHA1d603d25db16de015fb1acecf8177b4a63bf5b7dc
SHA256ed415e17c4d9796cdb39a49f1f6619d9a4861487de90fa67e3719020a05589ef
SHA5126584bd1dbe0ceab17e519e4fb5d42f184714ee2a3624df58d09ae8ebae5c1f51be0d2c1efaaaa949312638ac0f81611872f081b8486bc63ae57507eaaea05829
-
Filesize
62KB
MD532253a47273278b1128b91830b267488
SHA1eda4aab36b06bfd22ca9a9235342df67dca71993
SHA2562ace238d95b0fb8fb6ccef4822cd9cccc76d131bb87dcff53424999430349249
SHA5128def47f16e1856a0c0cedd955853f40a4771fd7d2ab66b076ae76e28796b6de3e8d2291627bc6138cfea34531688bc6c69a06c0c6318478dd19fdeb540f85463
-
Filesize
62KB
MD521bbf310a8d596850d68345057469800
SHA1ce028ab9516f3961df4db0a9d5042381c36d8539
SHA256f83b08937d54c18fe89b203f9c4ebee88b23db2214e05d6ce31a472ba37228e4
SHA512705f421f8ba02acefcf99537dea36ffda8c2cd95dea426f081574c303e54fd1b950c3596dbcecd9c1bf2e9f9f16f178a469dd53425c23a5e8645318c0e93c9e2