Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 04:49
Behavioral task
behavioral1
Sample
fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe
Resource
win7-20240221-en
General
-
Target
fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe
-
Size
92KB
-
MD5
aa765cd288e63767f2320948ff0cbd0e
-
SHA1
4e74675a1ec0b9f240266c0b35c8d291f788d94b
-
SHA256
fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88
-
SHA512
de98ebe490af7623e6d4f4abf4d03b56647751be8d958d6b5f64fdeb6f7496f6318d81e37d4c9b859d3226a1675f4cecbe16a87796ce69f8d7e7cc5ffb47ff2d
-
SSDEEP
768:CMEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:CbIYYvoE1FKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 856 omsecor.exe 2904 omsecor.exe 1608 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exeomsecor.exeomsecor.exepid process 2184 fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe 2184 fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe 856 omsecor.exe 856 omsecor.exe 2904 omsecor.exe 2904 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exeomsecor.exeomsecor.exedescription pid process target process PID 2184 wrote to memory of 856 2184 fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe omsecor.exe PID 2184 wrote to memory of 856 2184 fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe omsecor.exe PID 2184 wrote to memory of 856 2184 fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe omsecor.exe PID 2184 wrote to memory of 856 2184 fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe omsecor.exe PID 856 wrote to memory of 2904 856 omsecor.exe omsecor.exe PID 856 wrote to memory of 2904 856 omsecor.exe omsecor.exe PID 856 wrote to memory of 2904 856 omsecor.exe omsecor.exe PID 856 wrote to memory of 2904 856 omsecor.exe omsecor.exe PID 2904 wrote to memory of 1608 2904 omsecor.exe omsecor.exe PID 2904 wrote to memory of 1608 2904 omsecor.exe omsecor.exe PID 2904 wrote to memory of 1608 2904 omsecor.exe omsecor.exe PID 2904 wrote to memory of 1608 2904 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe"C:\Users\Admin\AppData\Local\Temp\fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1608
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD544d3d34054a04ecd2cba9aa7220cb21e
SHA18c02b4a7302c883f2e42551e78ca13588c383cd8
SHA256a1166d7ece5945db0a559a5f61b4320f17a066a88efcf877362ee2277d4707cd
SHA51245f7671d0cb17c4ef6a983e8bf443d413057d3c47aaa08e5d37043bc0c8ed28d394af8b920f91c409145655a0cdeb1be6df4952fa58b88cfb7b7e65603d6e6c8
-
Filesize
92KB
MD537ea85be5d5536b9ab0f2321f899e3cd
SHA1f5b0b84e8f3c6d7101f8ef8ab02043ed44507838
SHA2560d0bd56b78867e500a01a23a90eaafd92a7f49541027381b57f25b64927b488d
SHA512be089d941e00a2fe6ad5f66cacf5927265a5c3d553998a28e68459103c3ac390ddeb718c0417d5d922755fd79436bc7ca1c82b2224c0e9838a22416c9ea2d90c
-
Filesize
92KB
MD5f3e765e587c29bb37dca6b6eec21d777
SHA1223474df92609c4d6e58986e4206c34e9453007d
SHA2567a191fecea9827a6c580b9bfa1d48609284e383e69132b7a8db409426cb97308
SHA5128c59eee6ae85bd97a923f9327268dbba798d864110f482938699bd59acddafdfd55ee195015d33f94f8229e01efae02265c70367c67332dfd2f27c33d2c39bd2