Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 21:59
Behavioral task
behavioral1
Sample
4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe
Resource
win7-20240508-en
General
-
Target
4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe
-
Size
92KB
-
MD5
48039238819621273dd529161aeb486b
-
SHA1
dd984aa2b189d1fefc1da2a70bce8ff9d7ad6b63
-
SHA256
4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418
-
SHA512
54c28a20fb544796a4cd779bb8b1ae79aed6e1f52d1cfb23520e067f9f407b8e6d2a35b1cce9ba2bedbf094e350c790b3bf405d940ce176b393b4fe5fa4f0de2
-
SSDEEP
768:iMEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:ibIvYvoEyFKF6N4ySAAQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 2876 omsecor.exe 804 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exeomsecor.exedescription pid process target process PID 3964 wrote to memory of 2876 3964 4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe omsecor.exe PID 3964 wrote to memory of 2876 3964 4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe omsecor.exe PID 3964 wrote to memory of 2876 3964 4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe omsecor.exe PID 2876 wrote to memory of 804 2876 omsecor.exe omsecor.exe PID 2876 wrote to memory of 804 2876 omsecor.exe omsecor.exe PID 2876 wrote to memory of 804 2876 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe"C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
92KB
MD5a2864cedce63bbee3b3e9e92db69953d
SHA174b64a87b2d73fa162009fc4554b612dcce8dedb
SHA25677e72fb7e9b511e876ace38a895819cde78433bfe62423fcc6ad7c978eaa2397
SHA5124a519bf03f4a6c2a10b17cf2a5810270bb94b95f0863b043c69e49042e5e9461b22af2efa2ff56d90c6deaf6841103877c0f161cd8f0cb5f3eb13b4e7b9bf40f
-
C:\Windows\SysWOW64\omsecor.exeFilesize
92KB
MD563facc42e359ec34e3e9d28fe7615494
SHA10c7d112dfb6298e63a56315bc36dc8ec215df326
SHA256be6afe4e202bd0bfa10e0b725d9118144e8045771218561b571b2da8da52735f
SHA512100f0f19be4fb94bb4ac799349c760ef63adcf5a3ce241050099c015c64e513938081917afcf263e145487e33e28f65e746a507a4a79dd8982fdab328a5fc4d5
-
memory/804-13-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/804-14-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2876-6-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2876-7-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2876-12-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3964-0-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3964-4-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB