Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 03:29
Behavioral task
behavioral1
Sample
d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe
Resource
win7-20240508-en
General
-
Target
d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe
-
Size
88KB
-
MD5
adcc5dc5ae7e2541d20601420fad5e27
-
SHA1
09685bdc2b8959b5a81c12bfe550197dcf7e7984
-
SHA256
d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8
-
SHA512
d1299b5f9b134382e056f8c56f6c4739114c17cd80680265c9f2c852e633b530ced44d7ca2c9604ce25bdbd0ee6cef79cc3f1b6fc72d71b7a0f4466e9b23f63c
-
SSDEEP
1536:ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:6dseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2240 omsecor.exe 1904 omsecor.exe 1600 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exeomsecor.exeomsecor.exepid process 956 d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe 956 d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe 2240 omsecor.exe 2240 omsecor.exe 1904 omsecor.exe 1904 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exeomsecor.exeomsecor.exedescription pid process target process PID 956 wrote to memory of 2240 956 d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe omsecor.exe PID 956 wrote to memory of 2240 956 d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe omsecor.exe PID 956 wrote to memory of 2240 956 d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe omsecor.exe PID 956 wrote to memory of 2240 956 d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe omsecor.exe PID 2240 wrote to memory of 1904 2240 omsecor.exe omsecor.exe PID 2240 wrote to memory of 1904 2240 omsecor.exe omsecor.exe PID 2240 wrote to memory of 1904 2240 omsecor.exe omsecor.exe PID 2240 wrote to memory of 1904 2240 omsecor.exe omsecor.exe PID 1904 wrote to memory of 1600 1904 omsecor.exe omsecor.exe PID 1904 wrote to memory of 1600 1904 omsecor.exe omsecor.exe PID 1904 wrote to memory of 1600 1904 omsecor.exe omsecor.exe PID 1904 wrote to memory of 1600 1904 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe"C:\Users\Admin\AppData\Local\Temp\d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
88KB
MD50e89d29b955135582fe032ae0482c5c5
SHA18dae715664484a7fca2c247c347a13504afb24a0
SHA2567551c09c571b5c26b241ce28e76aa7e09e22828b8f20fd7a2e7dd15c1e45f6fa
SHA512b2ed104cf5552358b827b98ad36248e0dd297b6ec9b46a0dbee18fd5eb52a5aeeff96f2c05ad5e0fb07714dcf7c457b37d85df756afcaa65aca7e56781b2595a
-
\Users\Admin\AppData\Roaming\omsecor.exeFilesize
88KB
MD5cc384f0d5b415a2b786930865e987f8e
SHA10b88f89be38ccdd67f65a720e4729e02eb0c940a
SHA25672b195dd69485eec3e7f4cca7e571fb7c791b7d98509bd3dcadbffa18f61f858
SHA5124deaaa235e9bd35c2a3a249115f365f7b93eddd075a6b91465b3d9355a3e6fcd0f88d5876319eca8d39043b3376e01e39f81cabb55a86ed6285f07a231442544
-
\Windows\SysWOW64\omsecor.exeFilesize
88KB
MD59741a85dba7dd5e69d384baf407c7205
SHA14bb619b872c203374bf0bd78a0f7feca53798aae
SHA256e9c738dd4bbf8a9ff2b91591c76e8f07933820d9e432e9d49741b79c46f4d19e
SHA512f9d4e14b273b495bc5e6c5146c83824c9cd35d9e92a963e558d8a6a4626c08b61f10e2d07e07661dc4b2736e820d0a17695353881dcb97892f6d8a7b1c595048