Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 01:44
Behavioral task
behavioral1
Sample
7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe
Resource
win7-20240508-en
General
-
Target
7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe
-
Size
84KB
-
MD5
da0360f81a8041c3e97f28eddd175d20
-
SHA1
4f131a465f1172e10bb5964aa66e00b1e5f8bac3
-
SHA256
7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6
-
SHA512
932179cbe54cd4fa519ff6ca84856ebbc73abb73aea4365455f4e81a3d1543a451a191de28a28249c9cc3e997c75e8c36ef5cfd01279a8de7de93497db20e4af
-
SSDEEP
768:kMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:kbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2384 omsecor.exe 1208 omsecor.exe 1572 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exeomsecor.exeomsecor.exepid process 2368 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe 2368 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe 2384 omsecor.exe 2384 omsecor.exe 1208 omsecor.exe 1208 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exeomsecor.exeomsecor.exedescription pid process target process PID 2368 wrote to memory of 2384 2368 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe omsecor.exe PID 2368 wrote to memory of 2384 2368 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe omsecor.exe PID 2368 wrote to memory of 2384 2368 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe omsecor.exe PID 2368 wrote to memory of 2384 2368 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe omsecor.exe PID 2384 wrote to memory of 1208 2384 omsecor.exe omsecor.exe PID 2384 wrote to memory of 1208 2384 omsecor.exe omsecor.exe PID 2384 wrote to memory of 1208 2384 omsecor.exe omsecor.exe PID 2384 wrote to memory of 1208 2384 omsecor.exe omsecor.exe PID 1208 wrote to memory of 1572 1208 omsecor.exe omsecor.exe PID 1208 wrote to memory of 1572 1208 omsecor.exe omsecor.exe PID 1208 wrote to memory of 1572 1208 omsecor.exe omsecor.exe PID 1208 wrote to memory of 1572 1208 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe"C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\omsecor.exeFilesize
84KB
MD55842d1ee87f8e7563bf511f5ba78904e
SHA16fa5edea48945a9382b9f5bcbd001d83deeeda07
SHA25686162eabb5938da7126cc6681803195fe4fe6c9dcb684a92f264bc332e488fe2
SHA5122baaa512739e0a3f619643229602ca37d68bece450bfb3dc48a1ff35dd468f5338b45364cc0d287f0ec95365faf5f70bc36272fabc9ac2f3b7c9db53b7e50a80
-
\Users\Admin\AppData\Roaming\omsecor.exeFilesize
84KB
MD5b679eb5f3d0fabdcbcf1b9674e782844
SHA1a16aa1176acd10506b9c4f7b0d89fcf28c8fe38a
SHA256df04cbf95589e3a889d75244b0240da1d7d34b5b041ac34fde94a56782c56490
SHA512a23f85430a8bad24acb755e299853c19f6fe962a29a6502278c53f1e7b3c3af903f48bef1afd77a062f5f925a640d31b21c374a2b015cd1e14ea55239d129438
-
\Windows\SysWOW64\omsecor.exeFilesize
84KB
MD5a8924cdff4dd73db15e7a2dde74c8c62
SHA1b1fe2053f273a019a21cf3d227c33f3da57ca26d
SHA2563029d67258c01badf367558233871ca57f7523b94dc107bf315dfea959bc4382
SHA512fd68f17fa44ff3895bf7262b89f2520b1af50b304ed66932b7cf566fd56235c8e6774e1cdb26b58baca386154a547de3624606d0ec9e1e27ce6c59aa890bb799