Analysis Overview
SHA256
69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f
Threat Level: Known bad
The file 69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f was found to be: Known bad.
Malicious Activity Summary
Detects executables built or packed with MPress PE compressor
Neconyd
Detects executables built or packed with MPress PE compressor
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-16 22:14
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 22:14
Reported
2024-06-16 22:16
Platform
win7-20240221-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2136 set thread context of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe | C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe |
| PID 2332 set thread context of 2584 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1268 set thread context of 2892 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2992 set thread context of 2940 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe
"C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe"
C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe
C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2136-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2472-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2472-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2472-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2472-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2472-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2136-7-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7ce1fbded925b97dcc2dcd13e8c9213e |
| SHA1 | dc6d70140e985d7d5fc7a45b5f8524eb508ad187 |
| SHA256 | 0fd930f8e9962e4a335b5d24d2ab770d66c2b213323db57a3236df646ee49e30 |
| SHA512 | f33f4eaa4960c22742ef18856a007394942bd3c26e9d84161781885e868f9f403a8f293447bff901a6b09ec38834c907d027f25c5ebeea14c63e9047843f1c50 |
memory/2332-21-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2332-31-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2584-34-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2584-37-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2584-40-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2584-43-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | c0b3fbac75f9546e88e68e6eb1152ecc |
| SHA1 | 92f06972f463b26259efbb6e262095bf95bd11a2 |
| SHA256 | 5fbb52818371f0a332e78a1f2b2cda60f7ef52b7dda8ef8b923714cf0849fe7b |
| SHA512 | ddf4dace77d4c0e14152af65195f76867177a3dc8e50dca5e3cab37ea4c4908c451bb20fd07134060d759f07997bb803f8ea1c292d6741068b879a2d8f7ad147 |
memory/2584-46-0x00000000002D0000-0x00000000002F3000-memory.dmp
memory/2584-54-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1268-56-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1268-64-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 49f3db7a269356f83390f9fecc98564c |
| SHA1 | 714065689d694dbfc4014df0a46fed7a740278ee |
| SHA256 | 3055f5b962a924abd3517adb737200b93cf4eaf72551cee4092786719cad19dd |
| SHA512 | 446b248906a4165a8c84ed1bfee9e5f28be3bc108334f821031e7dfc12ff7bc2e07d2040f0f6a6da36da8605a0b5bf2bf97a98a046cbbf3d5238282183553790 |
memory/2892-70-0x0000000000260000-0x0000000000283000-memory.dmp
memory/2992-79-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2992-86-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2940-89-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2940-92-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 22:14
Reported
2024-06-16 22:16
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Neconyd
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4412 set thread context of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe | C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe |
| PID 1220 set thread context of 4784 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4264 set thread context of 4988 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4840 set thread context of 2520 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe
"C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe"
C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe
C:\Users\Admin\AppData\Local\Temp\69c50512add578cf1523cc690877c35e61dafe105472320d5c619d594930371f.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4412 -ip 4412
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1220 -ip 1220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 300
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3864 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4264 -ip 4264
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 292
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4840 -ip 4840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| DE | 142.250.186.170:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 170.186.250.142.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/4412-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1968-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-3-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7ce1fbded925b97dcc2dcd13e8c9213e |
| SHA1 | dc6d70140e985d7d5fc7a45b5f8524eb508ad187 |
| SHA256 | 0fd930f8e9962e4a335b5d24d2ab770d66c2b213323db57a3236df646ee49e30 |
| SHA512 | f33f4eaa4960c22742ef18856a007394942bd3c26e9d84161781885e868f9f403a8f293447bff901a6b09ec38834c907d027f25c5ebeea14c63e9047843f1c50 |
memory/1220-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1968-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4784-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4784-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1220-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4412-18-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4784-19-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4784-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4784-25-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4784-26-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4784-30-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 1b3efcbdbaae6b02b7ab6d9a8ae983ce |
| SHA1 | 1810158a39172073ce8debe15aa37bc7ab1094e7 |
| SHA256 | d9b46c01d8759be2a8722fc7ec4930fd8176ad415b5dcbb1a5458d61b187dde3 |
| SHA512 | 797364ca0703eaade7a9272b18acf24c2e6444383c93c5d3b2378ce545021dc7c8a8da5ac32a87951c6eda5ec0678d28e469052f3bd08a6f203358e1c0de13aa |
memory/4264-32-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4988-37-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4988-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4988-39-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c5bb1bb28a40f2b94802a6993311c553 |
| SHA1 | e536203d62a4bf91c0ae53417dee0f836890b803 |
| SHA256 | 4de8d0a4f561039a86aace8b079e59110583f97fd3744f0c098a456cea8c793b |
| SHA512 | 9227cbb3d7ec49c77c86db34aecc6747e04ab4cb1ad4308dd6703956947212024f97ccf53ab3717ef6b4a7759f8aff2f5a7b80fb4a763a482d97acf6648de8af |
memory/4840-43-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2520-48-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2520-49-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4840-51-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4264-52-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2520-53-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2520-55-0x0000000000400000-0x0000000000429000-memory.dmp