Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 01:44
Behavioral task
behavioral1
Sample
7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe
Resource
win7-20240508-en
General
-
Target
7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe
-
Size
84KB
-
MD5
da0360f81a8041c3e97f28eddd175d20
-
SHA1
4f131a465f1172e10bb5964aa66e00b1e5f8bac3
-
SHA256
7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6
-
SHA512
932179cbe54cd4fa519ff6ca84856ebbc73abb73aea4365455f4e81a3d1543a451a191de28a28249c9cc3e997c75e8c36ef5cfd01279a8de7de93497db20e4af
-
SSDEEP
768:kMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:kbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3856 omsecor.exe 4432 omsecor.exe 3660 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exeomsecor.exeomsecor.exedescription pid process target process PID 4916 wrote to memory of 3856 4916 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe omsecor.exe PID 4916 wrote to memory of 3856 4916 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe omsecor.exe PID 4916 wrote to memory of 3856 4916 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe omsecor.exe PID 3856 wrote to memory of 4432 3856 omsecor.exe omsecor.exe PID 3856 wrote to memory of 4432 3856 omsecor.exe omsecor.exe PID 3856 wrote to memory of 4432 3856 omsecor.exe omsecor.exe PID 4432 wrote to memory of 3660 4432 omsecor.exe omsecor.exe PID 4432 wrote to memory of 3660 4432 omsecor.exe omsecor.exe PID 4432 wrote to memory of 3660 4432 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe"C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
84KB
MD53017f7b96a08b5eca671e2d291c00219
SHA13a978c363fc3f3e8f08065246b0a773fabdcc18f
SHA256e8988402370bd4dac50fccbbd9e3b792bd230df3c00da14b12ddb14d70f2cb57
SHA512a778915366ae6593b13af547ea73a614cb02f801d3e9ab9a0c49636170a37a074d3cb647e5acf128f26fbe37214717c4bf9a23be22ac9e897adb3bbfbddf2046
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
84KB
MD55842d1ee87f8e7563bf511f5ba78904e
SHA16fa5edea48945a9382b9f5bcbd001d83deeeda07
SHA25686162eabb5938da7126cc6681803195fe4fe6c9dcb684a92f264bc332e488fe2
SHA5122baaa512739e0a3f619643229602ca37d68bece450bfb3dc48a1ff35dd468f5338b45364cc0d287f0ec95365faf5f70bc36272fabc9ac2f3b7c9db53b7e50a80
-
C:\Windows\SysWOW64\omsecor.exeFilesize
84KB
MD545edc16c07b947827aa5e8d585c1df76
SHA11c73c563029ce170c630949ad7d5037d153209a5
SHA2564ea3c8ed8662d3b1e91c0f264b412acfac63bd09bd1b4b15b32781fb15ff4db5
SHA51288d68d8c19141e5d1d4f7bdc4b286d2f342ee44e0d43ecbf1818f33bf72fc3c21d3ad0b51d189201860443e642d1b43685f1f70b9211237e96dec68af97f3f41