Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 03:04
Behavioral task
behavioral1
Sample
c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe
Resource
win7-20240508-en
General
-
Target
c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe
-
Size
35KB
-
MD5
cdfdfc6b39bf8aa959c22ed497b69a2e
-
SHA1
9912be4cf7cdfbebd2626867183c7c9416bc1c9d
-
SHA256
c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093
-
SHA512
f094e9b95797e92a256ae7025a5fde40b2fa7fa64f17ffb51aa48466e557ed2793f7ac432d5f1c158d431a68006a3332e46317d840cab42d1b3255f3087468fe
-
SSDEEP
768:N6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:A8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
UPX dump on OEP (original entry point) 16 IoCs
Processes:
resource yara_rule behavioral2/memory/4512-0-0x0000000000400000-0x000000000042D000-memory.dmp UPX C:\Users\Admin\AppData\Roaming\omsecor.exe UPX behavioral2/memory/4512-5-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1628-7-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1628-8-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1628-11-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1628-14-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/1628-15-0x0000000000400000-0x000000000042D000-memory.dmp UPX C:\Windows\SysWOW64\omsecor.exe UPX behavioral2/memory/1628-20-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/692-22-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/692-27-0x0000000000400000-0x000000000042D000-memory.dmp UPX C:\Users\Admin\AppData\Roaming\omsecor.exe UPX behavioral2/memory/4324-28-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/4324-30-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral2/memory/4324-33-0x0000000000400000-0x000000000042D000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1628 omsecor.exe 692 omsecor.exe 4324 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/4512-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4512-5-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1628-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1628-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1628-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1628-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1628-15-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/1628-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/692-22-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/692-27-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4324-28-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4324-30-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4324-33-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exeomsecor.exeomsecor.exedescription pid process target process PID 4512 wrote to memory of 1628 4512 c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe omsecor.exe PID 4512 wrote to memory of 1628 4512 c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe omsecor.exe PID 4512 wrote to memory of 1628 4512 c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe omsecor.exe PID 1628 wrote to memory of 692 1628 omsecor.exe omsecor.exe PID 1628 wrote to memory of 692 1628 omsecor.exe omsecor.exe PID 1628 wrote to memory of 692 1628 omsecor.exe omsecor.exe PID 692 wrote to memory of 4324 692 omsecor.exe omsecor.exe PID 692 wrote to memory of 4324 692 omsecor.exe omsecor.exe PID 692 wrote to memory of 4324 692 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe"C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
35KB
MD57c9bbea4e90bf8c123078ba5410c9080
SHA1a6a90ed312e350321c57d1755984eb6de2d2a1bb
SHA256fa4148e7a3cfbb923f077a78a09a16836e61eeae52933ac9d21032318983fdff
SHA512f07f3d0fefcb0a43a40d045ba4d6a8b24dac8e928c29c8fe9fa8806b9b81496f324c202ec8c62455b557981333c9e22bcdc3bf9cc70ad8ea94d07ec13916480e
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
35KB
MD5c969e4d8611084ccb26c12fbde1f6d97
SHA1e2bcc63fe01b638fffefb191d7582d543803c3d8
SHA256f8feb1df2a4086581cdc552151cd22b8b328320c348f4d7245791ac3db3df8ff
SHA512e5668caeadcc31163a12813d249aca09e48d3ffe28644f9280b7329239f31cf0f692a1a0f7592fca02680cad74146462a64a4cd92b960715fe1ec42936b358e8
-
C:\Windows\SysWOW64\omsecor.exeFilesize
35KB
MD5b6a8cbe02ae0d2649c01fe01b246ea48
SHA18ea31e20aa6d7738f15ada92cdcdb42bcf43732f
SHA2562f4d8c663036c0287bf0527f10c50b95ceed57cfc3d31da4edb946ea5f5f056b
SHA512bd649a3100866c5f551ebc669f6538a1d7f1d5a0ec6be46e418cfef57df022f8ea9eba3eebce1beae2f9c9d89c138712695800e70295116985cd152136ee7bab
-
memory/692-22-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/692-27-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1628-20-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1628-14-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1628-15-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1628-7-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1628-11-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1628-8-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4324-28-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4324-30-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4324-33-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4512-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4512-5-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB