Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 03:29
Behavioral task
behavioral1
Sample
d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe
Resource
win7-20240508-en
General
-
Target
d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe
-
Size
88KB
-
MD5
adcc5dc5ae7e2541d20601420fad5e27
-
SHA1
09685bdc2b8959b5a81c12bfe550197dcf7e7984
-
SHA256
d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8
-
SHA512
d1299b5f9b134382e056f8c56f6c4739114c17cd80680265c9f2c852e633b530ced44d7ca2c9604ce25bdbd0ee6cef79cc3f1b6fc72d71b7a0f4466e9b23f63c
-
SSDEEP
1536:ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:6dseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 2428 omsecor.exe 5860 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exeomsecor.exedescription pid process target process PID 1920 wrote to memory of 2428 1920 d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe omsecor.exe PID 1920 wrote to memory of 2428 1920 d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe omsecor.exe PID 1920 wrote to memory of 2428 1920 d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe omsecor.exe PID 2428 wrote to memory of 5860 2428 omsecor.exe omsecor.exe PID 2428 wrote to memory of 5860 2428 omsecor.exe omsecor.exe PID 2428 wrote to memory of 5860 2428 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe"C:\Users\Admin\AppData\Local\Temp\d38337c22ba50c9f064ccb348439a030b78ea3348691d47db33e74f4338e04b8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
88KB
MD50e89d29b955135582fe032ae0482c5c5
SHA18dae715664484a7fca2c247c347a13504afb24a0
SHA2567551c09c571b5c26b241ce28e76aa7e09e22828b8f20fd7a2e7dd15c1e45f6fa
SHA512b2ed104cf5552358b827b98ad36248e0dd297b6ec9b46a0dbee18fd5eb52a5aeeff96f2c05ad5e0fb07714dcf7c457b37d85df756afcaa65aca7e56781b2595a
-
C:\Windows\SysWOW64\omsecor.exeFilesize
88KB
MD5b435f9177d11d2dcecf375a292608172
SHA179cb07154195a8a8540b565b9af5cc8f5b0e07bd
SHA2564c40c695442cbae019e6d37ed85a02c1802775f9eebcc8f62d4126c851db91db
SHA512712da6fdb7ab0e8e67d86b6e3dd169de0c5461b42d8933f7ee047b11e25eecedf9c2f1c5fca6082af6470a47d6daee6b6d36d769e670d7b59e572ab89ddb0587