Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 04:49
Behavioral task
behavioral1
Sample
fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe
Resource
win7-20240221-en
General
-
Target
fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe
-
Size
92KB
-
MD5
aa765cd288e63767f2320948ff0cbd0e
-
SHA1
4e74675a1ec0b9f240266c0b35c8d291f788d94b
-
SHA256
fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88
-
SHA512
de98ebe490af7623e6d4f4abf4d03b56647751be8d958d6b5f64fdeb6f7496f6318d81e37d4c9b859d3226a1675f4cecbe16a87796ce69f8d7e7cc5ffb47ff2d
-
SSDEEP
768:CMEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:CbIYYvoE1FKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 5040 omsecor.exe 3284 omsecor.exe 900 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exeomsecor.exeomsecor.exedescription pid process target process PID 2216 wrote to memory of 5040 2216 fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe omsecor.exe PID 2216 wrote to memory of 5040 2216 fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe omsecor.exe PID 2216 wrote to memory of 5040 2216 fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe omsecor.exe PID 5040 wrote to memory of 3284 5040 omsecor.exe omsecor.exe PID 5040 wrote to memory of 3284 5040 omsecor.exe omsecor.exe PID 5040 wrote to memory of 3284 5040 omsecor.exe omsecor.exe PID 3284 wrote to memory of 900 3284 omsecor.exe omsecor.exe PID 3284 wrote to memory of 900 3284 omsecor.exe omsecor.exe PID 3284 wrote to memory of 900 3284 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe"C:\Users\Admin\AppData\Local\Temp\fb499ec5c2e95098bb357a8709af4f1e7286225170151ee37ebdfc09159ced88.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:900
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5587fbff0aceedaad6b6aa8941b9599ca
SHA169854975718f295b07bc639079ed807248ed73de
SHA25629fb9aab5cc62a9b4c943e841dc9ddf4910f2e1419466825f0e74b8cc9589cd5
SHA5125935a5f0026cfbef4507bf4e9aee11a290ea63a012e7e8993d9a2a8ed5a14d68e1534abfdf8ae9da95ed58891a82c35d7449d77302639b6360cfe3fab91e4a85
-
Filesize
92KB
MD544d3d34054a04ecd2cba9aa7220cb21e
SHA18c02b4a7302c883f2e42551e78ca13588c383cd8
SHA256a1166d7ece5945db0a559a5f61b4320f17a066a88efcf877362ee2277d4707cd
SHA51245f7671d0cb17c4ef6a983e8bf443d413057d3c47aaa08e5d37043bc0c8ed28d394af8b920f91c409145655a0cdeb1be6df4952fa58b88cfb7b7e65603d6e6c8
-
Filesize
92KB
MD5fe14603f28fe438073656d794e1e6622
SHA13e8d96174a6dfdd82c73870729a325b30c29bba7
SHA256be82b0c1c2a45865e0f9bed918b91431edf4be135e4079ed641e92ff28658fe9
SHA5120b0e6978c01066899c8781c7f02a9d961069a8eddfb04b9213e1b3f1ebdc7ea9fd8b988ae2258e9f824c9af024d336708fd051277c225efa8f52397a9c6e2f9f