Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 22:06
Behavioral task
behavioral1
Sample
8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe
Resource
win7-20240729-en
General
-
Target
8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe
-
Size
90KB
-
MD5
927c632d19cf1a09d6e9d2b053042f28
-
SHA1
cdbe7a141f9e59ebb085601a0c675fde8322aadc
-
SHA256
8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba
-
SHA512
06ae5c1ae5bc5c91b306252a44bd41ced3b366b845d3836cc789b35df00fad0988338d8116cac3b03d8e93eeb9731e1d8fe3a0911d86a7f15979f35c7c930a90
-
SSDEEP
768:9MEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAK:9bIvYvZEyFKF6N4aS5AQmZTl/5y
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1956 omsecor.exe 4576 omsecor.exe 1588 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1208 wrote to memory of 1956 1208 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe 83 PID 1208 wrote to memory of 1956 1208 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe 83 PID 1208 wrote to memory of 1956 1208 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe 83 PID 1956 wrote to memory of 4576 1956 omsecor.exe 100 PID 1956 wrote to memory of 4576 1956 omsecor.exe 100 PID 1956 wrote to memory of 4576 1956 omsecor.exe 100 PID 4576 wrote to memory of 1588 4576 omsecor.exe 101 PID 4576 wrote to memory of 1588 4576 omsecor.exe 101 PID 4576 wrote to memory of 1588 4576 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe"C:\Users\Admin\AppData\Local\Temp\8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD533f64338e6a6a184c08b9882c8704f18
SHA1a934a6d08d051113fb8f8234f7e328685b86b6d9
SHA256859fb05cef7c0abe8b16605ec6d1b0e95be964e124fd6f9c41b19858bd5ac632
SHA5128ec1e7089048f80c7f3721bcbc33c22e386a491c779ed42a683e7a069b86f9a31e1afa1243574d438a2bdd44ab1b5a0c2950269322252b7659d5ba2eb3224214
-
Filesize
90KB
MD5a7c053a1ffd4cf604e65a6857f1ef898
SHA13400ca8ea261d9b51e08492fff0add5f0c430870
SHA25673cdb56cd63bac31a71430f9c68d46f41ec09c1854dfa154d8cb3a5dbc986d07
SHA5123b6070bfd4cd34163592774a89ea6c2e55b4beaeef58af72480b981de477dc546c14f420fe7d4ace521ccc9df3c5112866e60a08b605862d8d475068305cc72d
-
Filesize
90KB
MD5446bfea941d667fc017b183f377ccf5f
SHA1173735c4a884cef74c66db561841859c30d007db
SHA256aa4335d5b1157eef02c5996bb897386383eeb01b331ff2fe8266613ee8dc7ed6
SHA512913a2ce96fcccc19629e659c023eb91178b172babca0d3ff127ae21258110be0db05046dfa0f55b9a3b1584f5fc6be38cc9778694d14f997caac95350f0fa703