Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 00:27
Behavioral task
behavioral1
Sample
922b27fa2d195c9dfd1cc74db822718f0666eb062819a55761549f12ca49330b.exe
Resource
win7-20240508-en
General
-
Target
922b27fa2d195c9dfd1cc74db822718f0666eb062819a55761549f12ca49330b.exe
-
Size
84KB
-
MD5
61521499ecba2607936d37e76f9292a7
-
SHA1
554a1c49e58b6b670c3e723a7c91e76fa9d29b76
-
SHA256
922b27fa2d195c9dfd1cc74db822718f0666eb062819a55761549f12ca49330b
-
SHA512
fa049dd8c2afc4401a93348fc599cd76aa049d11f1cbc4eddf0c4c3b666338bac14b52e57968c55b6e01049fdaba585ad142110a0671b852abff99899ec807bd
-
SSDEEP
1536:Pd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:ndseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3292 omsecor.exe 2836 omsecor.exe 1264 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
922b27fa2d195c9dfd1cc74db822718f0666eb062819a55761549f12ca49330b.exeomsecor.exeomsecor.exedescription pid process target process PID 4904 wrote to memory of 3292 4904 922b27fa2d195c9dfd1cc74db822718f0666eb062819a55761549f12ca49330b.exe omsecor.exe PID 4904 wrote to memory of 3292 4904 922b27fa2d195c9dfd1cc74db822718f0666eb062819a55761549f12ca49330b.exe omsecor.exe PID 4904 wrote to memory of 3292 4904 922b27fa2d195c9dfd1cc74db822718f0666eb062819a55761549f12ca49330b.exe omsecor.exe PID 3292 wrote to memory of 2836 3292 omsecor.exe omsecor.exe PID 3292 wrote to memory of 2836 3292 omsecor.exe omsecor.exe PID 3292 wrote to memory of 2836 3292 omsecor.exe omsecor.exe PID 2836 wrote to memory of 1264 2836 omsecor.exe omsecor.exe PID 2836 wrote to memory of 1264 2836 omsecor.exe omsecor.exe PID 2836 wrote to memory of 1264 2836 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\922b27fa2d195c9dfd1cc74db822718f0666eb062819a55761549f12ca49330b.exe"C:\Users\Admin\AppData\Local\Temp\922b27fa2d195c9dfd1cc74db822718f0666eb062819a55761549f12ca49330b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
84KB
MD551667e1072743ccb30f844faa2bbb8a9
SHA151ba6042cd883f8ee3308f7406ae360841868a03
SHA2562810c01bb6672b3c92ce6ffb27bb2eba2e68efc8cb493cef182a40058aa67dd0
SHA51264c09df87d2a47e7da52504267c7c6f34c272c68130c167c1fd62d09933e6ac926caa4e1a5f4f1583dc35181a72869ad4de5593932804106b8c5b13318230d59
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
84KB
MD50be4f9ce60bd2c5f8871fb3dfc64131f
SHA1ec093bb07d53b8efe5c6f5329c82aeec0600533d
SHA256ede0341641abbbc6217190d86edb998d3491069493b21dfd267862d2ccfd3dda
SHA5127ca146cac9789d13a1bbc6738e5433fece0d2d6ebd06313912d783b1f2c4befbd05941da1eadfa4634d990340d6a438c69d3cc25706d2dd0ff197f10af9e0f90
-
C:\Windows\SysWOW64\omsecor.exeFilesize
84KB
MD50b3183600ce292da928bde113f3d1c67
SHA1d77090f287516a5c781e9ddc5231e4be4e01a36c
SHA256bb3ec3594b24ca773614af2b9cd01c9d6195c9060ca54f1ef5a121ad06ef4fcd
SHA512478f4b0d422413fff4afc0ba916d26b21c33d1e69ebfe9318e1f65e06092188996d3fdee17995811891894ef78316aabfefb8487b9008d383fca2a4991ba5f67