Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 02:29
Behavioral task
behavioral1
Sample
14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe
Resource
win7-20240508-en
General
-
Target
14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe
-
Size
84KB
-
MD5
0789034351c8c03365bcdb1425bcb720
-
SHA1
105cd5e2e0aa963a9fb040fb00a2221e7a96d5b7
-
SHA256
14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776
-
SHA512
b6933c88f395728f22d7d0941520b65c90a332d2e61340d6275b0bd02cd8e7b619e23f321e1e3f75123c1fb2c904bd81f526697e6a6a6cc0d66a9ba6b4d49fc5
-
SSDEEP
1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:TdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4276 omsecor.exe 3216 omsecor.exe 4160 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exeomsecor.exeomsecor.exedescription pid process target process PID 2432 wrote to memory of 4276 2432 14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe omsecor.exe PID 2432 wrote to memory of 4276 2432 14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe omsecor.exe PID 2432 wrote to memory of 4276 2432 14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe omsecor.exe PID 4276 wrote to memory of 3216 4276 omsecor.exe omsecor.exe PID 4276 wrote to memory of 3216 4276 omsecor.exe omsecor.exe PID 4276 wrote to memory of 3216 4276 omsecor.exe omsecor.exe PID 3216 wrote to memory of 4160 3216 omsecor.exe omsecor.exe PID 3216 wrote to memory of 4160 3216 omsecor.exe omsecor.exe PID 3216 wrote to memory of 4160 3216 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe"C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
84KB
MD5eba5ad7b9322cf4da53c1526b95ebd61
SHA1bba5614f73380729ebf4cc4e654f1039668f05f4
SHA2562ba9b5ec56574fc2454fca9906c25b3df93c38ea4f2a53e4f30eb74a74bf5747
SHA51260b3fee2fb3b3f95fb29f5812e80a8c54d8898c2071f8a30c818bbbe5cfffff27e49dea90386475d9801a785d9c9848068dc8100d136e4a3f3ee1113b312c394
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
84KB
MD5e9d56f4dc84dbcd469d308b2e492f84e
SHA1a1e2c71b608544264fa322898efbd3972c3e21d6
SHA25698a4075a6a9814f99c6ac464a1ab85ecbee786beb76d87131861b69631c475ab
SHA512999f6abcb284811005942af1d7853e00c9f8fdd3350e5f41f9695bad08625674d4422fab2010cebeb124f990c11fab72f9ced6069b5e28492e108816c483b0e9
-
C:\Windows\SysWOW64\omsecor.exeFilesize
84KB
MD545ca35139769a8664885c4862bdf1328
SHA17043f4c223f4332a7d1eb90934e2d79f9a290e47
SHA256acc329c293773d5cdb6435cdb17046535999e6bfade6de30fcb6069242619507
SHA512f1bc79f4dc274c28af28239d5650f66707454fa54332bd5107a14b79cd5385119ac42bb7d1f2a69112f3f1de3e2cc89911acc7cc4255f366ebe4f281c718cfec