Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 22:16
Behavioral task
behavioral1
Sample
67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe
Resource
win7-20240220-en
General
-
Target
67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe
-
Size
90KB
-
MD5
5a11aab785c59ec05adf398478ffe464
-
SHA1
4153f9b93643947c61f63286c4ac8f78261b70e1
-
SHA256
67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299
-
SHA512
68a705c481fb88221a7ccb863b93e68d08fd2e795adac06cf3346009bc35d8967def36e017292cf81da09eced38e96433d2337fa6db6b49dc5c51159a9c20d09
-
SSDEEP
768:FMEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:FbIYYvoE1FKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4620 omsecor.exe 3956 omsecor.exe 4628 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 504 wrote to memory of 4620 504 67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe 82 PID 504 wrote to memory of 4620 504 67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe 82 PID 504 wrote to memory of 4620 504 67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe 82 PID 4620 wrote to memory of 3956 4620 omsecor.exe 94 PID 4620 wrote to memory of 3956 4620 omsecor.exe 94 PID 4620 wrote to memory of 3956 4620 omsecor.exe 94 PID 3956 wrote to memory of 4628 3956 omsecor.exe 95 PID 3956 wrote to memory of 4628 3956 omsecor.exe 95 PID 3956 wrote to memory of 4628 3956 omsecor.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe"C:\Users\Admin\AppData\Local\Temp\67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:4628
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5503c3c4961824129dc46a5ab34dc92b4
SHA1d5f76c7d2ed94309058501dbd1e54373653ba092
SHA2560a0d81cb999c8cc82f7991a0a93798de487f003a509c9e1ef2bdff155ce60af0
SHA512fc7979cb684bbfa717326991e9de3d4cfc86d3f1c57ff4f85c971dab0b4f06b5726b0d9f85fa574c72e126eed65599c6740efb3c4e7241813fee2a628ce967b3
-
Filesize
90KB
MD5ca145b5952594a01b5d3139b0a77d204
SHA1bc6e793b973ad0bfcfdfaca18abde730058bec8b
SHA256b3f1bdff491bf611ad94ee318063f125d9dc2e75749d04da1f39f393a04b2252
SHA5124b63108461d5fc817cbb20a347fca7d42d9e12e223b458d67d331ea269f3ef0f06165784287b9c77a23978f424b937a7381c997a632ef16ab12e29b09e46baab
-
Filesize
90KB
MD5dc3e922b10fe0272a324586905353864
SHA11fdedfa8f58e9ab00d2b03dcd8feb7319ab4e5f2
SHA256741eeecc3fc19a518e5dcc8bd518c45ccdeace34952d28db5dc2019df2c5486b
SHA51218221bebf01950ab6a0b2096a00d8d7e4c8f80ab1352611e5772a2f37d5b9b3a8442ecc58bd003c66b8c343653636624b3b20e7927cf37bf2b2ed9e7c8160b8d