Analysis Overview
SHA256
5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353
Threat Level: Known bad
The file 5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353 was found to be: Known bad.
Malicious Activity Summary
Detects executables built or packed with MPress PE compressor
Neconyd
Detects executables built or packed with MPress PE compressor
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 12:45
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 12:45
Reported
2024-06-10 12:48
Platform
win7-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Neconyd
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2408 set thread context of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe | C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe |
| PID 2596 set thread context of 2068 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 800 set thread context of 1924 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2116 set thread context of 1436 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe
"C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe"
C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe
C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2408-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2212-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2408-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2212-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2212-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2212-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6def649ffb3c94d0ebe82c16c6c8921d |
| SHA1 | ddb963a86e3a15c59d5f44c0c6b1c151d45dc39e |
| SHA256 | bc842622aab9e800ba80e76bbb71979a1395d481e0f0d32ba194f478180513d7 |
| SHA512 | 8baafe8f7148638d2ece1e87b972f0ae2626fcc8ec0c93e16f5c9509cb2c258e86d5f566795abe382860877936a5cb8362ca7a5e8e247bc3347c12a374ca9d82 |
memory/2212-14-0x00000000005C0000-0x00000000005E3000-memory.dmp
memory/2212-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2596-22-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2596-32-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2068-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2068-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2068-40-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2068-43-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 7f4c837c327202eeba4d4516726d0806 |
| SHA1 | a13927ac0874deab3035cd5e2e746bcfa6730c1f |
| SHA256 | 9517faff5992ba2e006bf7a79d79e08b3cd7ef4750f41d2455cb9ccf0603336c |
| SHA512 | a4d4b328e221a4c3b14c8291e84e45632f9a38190b97619428d9888baeffe4282be22c4ec22d96157f905be37cc918167251e850c9d925d66a1c6d1e3633b066 |
memory/2068-47-0x0000000002410000-0x0000000002433000-memory.dmp
memory/2068-55-0x0000000000400000-0x0000000000429000-memory.dmp
memory/800-57-0x0000000000400000-0x0000000000423000-memory.dmp
memory/800-65-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e02205c834e2b6f3ee45d3698c2cb660 |
| SHA1 | 4f51be09c1ab18aad1c240b0c7889086ca569507 |
| SHA256 | 7449e92c08e18415a96aef29782b25e649a7907493c7c4f8f261ae6ed23a7bca |
| SHA512 | 715ff7bd94c4a10222115bed6f1222d2b83f2b1517ddc470be6665a0963ceea036f88db49be79ea0895d75d3c33295e9f1ee5b3125dfab00634209866797d347 |
memory/1924-72-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2116-80-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2116-87-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1436-90-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1436-92-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1436-94-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 12:45
Reported
2024-06-10 12:48
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
140s
Command Line
Signatures
Neconyd
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5112 set thread context of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe | C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe |
| PID 4592 set thread context of 4424 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2248 set thread context of 2384 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2856 set thread context of 4124 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe
"C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe"
C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe
C:\Users\Admin\AppData\Local\Temp\5f8b5850e4aa0aebb27a8bb913bf026f4b5fb0e4b1ed4e3ee7ea9366df3aa353.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5112 -ip 5112
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 300
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2248 -ip 2248
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 292
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/5112-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/212-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/212-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/212-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/212-1-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6def649ffb3c94d0ebe82c16c6c8921d |
| SHA1 | ddb963a86e3a15c59d5f44c0c6b1c151d45dc39e |
| SHA256 | bc842622aab9e800ba80e76bbb71979a1395d481e0f0d32ba194f478180513d7 |
| SHA512 | 8baafe8f7148638d2ece1e87b972f0ae2626fcc8ec0c93e16f5c9509cb2c258e86d5f566795abe382860877936a5cb8362ca7a5e8e247bc3347c12a374ca9d82 |
memory/4592-11-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4424-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4424-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5112-16-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4424-18-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4424-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4424-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4424-23-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4424-26-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | abd0aeba60b2c6d7716c3bdaa6fea23d |
| SHA1 | f89f6ca1e914f77af9365215c381ed105d6cd887 |
| SHA256 | 945c04f9fbd091ff4d504d8e74ff293903c01a3c2e5926d282547bdc005d2de2 |
| SHA512 | 0c4e8ffa8341d9dffaac4152f4286e338c1b336d5c9464e1f1cfb5e43d5f7e1ae7551ec8fe97d1e2886e6b4c184b3472e461968158485c9a0ea4378d4b4fef3b |
memory/2248-30-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2384-33-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2384-34-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2384-36-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f9ecda346ab4a466dba799038de5555c |
| SHA1 | 6f55ea914b360e9ee52ac506dc5ddf04487a11d9 |
| SHA256 | 593739ccc813f7d5c665643ed6dea478a37e1b5ee283d157d9edd3b0df6a893d |
| SHA512 | d15b15d10fc9b0a0a1ab4a9e3577c3c124de7a119c050ccaf4c393043d23929e836ab8fc16c632008bea893f735060573883a69813e81d7842e955d65d97f8ff |
memory/2856-41-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4124-46-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4124-45-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2248-48-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4124-50-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4124-52-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4124-54-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4124-56-0x0000000000400000-0x0000000000429000-memory.dmp