Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 20:55
Behavioral task
behavioral1
Sample
418da407d8be85a3aaca898735dacb052f309e13076bc52dcc6be2c17d31251b.exe
Resource
win7-20240221-en
General
-
Target
418da407d8be85a3aaca898735dacb052f309e13076bc52dcc6be2c17d31251b.exe
-
Size
92KB
-
MD5
5e5380433f16b8e9b89127ac05aa8aae
-
SHA1
0e689e3af81c8fe9885727061537e95de9b07d89
-
SHA256
418da407d8be85a3aaca898735dacb052f309e13076bc52dcc6be2c17d31251b
-
SHA512
8465645e61737df0ad74f9d81612b3c3e22a634d5cd6d54a777c03cd13819d840c13b7defd9df94a47667b0a37bdd419c5e55ffddcf48285a7ff48e2d78173ae
-
SSDEEP
768:mMEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:mbIYYvoE1FKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3092 omsecor.exe 3912 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5064 wrote to memory of 3092 5064 418da407d8be85a3aaca898735dacb052f309e13076bc52dcc6be2c17d31251b.exe 82 PID 5064 wrote to memory of 3092 5064 418da407d8be85a3aaca898735dacb052f309e13076bc52dcc6be2c17d31251b.exe 82 PID 5064 wrote to memory of 3092 5064 418da407d8be85a3aaca898735dacb052f309e13076bc52dcc6be2c17d31251b.exe 82 PID 3092 wrote to memory of 3912 3092 omsecor.exe 91 PID 3092 wrote to memory of 3912 3092 omsecor.exe 91 PID 3092 wrote to memory of 3912 3092 omsecor.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\418da407d8be85a3aaca898735dacb052f309e13076bc52dcc6be2c17d31251b.exe"C:\Users\Admin\AppData\Local\Temp\418da407d8be85a3aaca898735dacb052f309e13076bc52dcc6be2c17d31251b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3912
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD59050f410b5a5eed90150d3f2fd1c5f0c
SHA1c38c85bcd37ba4d82515e2c769811adacb023d4a
SHA2563c667a124308e6618d6a270641fec5d6b5bc0c8f9d1961bc371e14e64f684645
SHA5120f4404967e6291f403dd014210ad51bfa71ab5c841c262e0c5b34e7a0c400c2bf45f7f83d6dcaaf661015d0c45f5800be9f178d28d1f4945dd0f22803b4b4eec
-
Filesize
92KB
MD54e4aea572333a3b6a8c56572d8873a55
SHA1abd1b472b239e17edf4b0207209c19f218dd787e
SHA256898ec23c04c2a889ce16c5374f1e6618828527bb2e9aa8ce820bbe407956ed9e
SHA512c7132211026ec5daa48dcc4da9fd3f5b329c9e1a363ba542eea2d8bead80ab7be59005deed03f9e813f5100aaaca4f65fbb31b6f213848d54be82d7932a99b4e