Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 21:34
Behavioral task
behavioral1
Sample
3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe
Resource
win7-20240903-en
General
-
Target
3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe
-
Size
80KB
-
MD5
a6a4d61642344f69842308d7d0b50104
-
SHA1
1048ed9463d5cb12a871b47eb01a269915ac2e2b
-
SHA256
3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca
-
SHA512
0d7c9a7e7410cc795929dfd3473a3b45a9bafb4a9ab311720f9d6aca1b62280fa07a721e9fae4659412a2ae8e678ad47f6dd3a96091daf57ee8c8b0f0d86008a
-
SSDEEP
1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzT:TdseIOMEZEyFjEOFqTiQmOl/5xPvwX
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 116 omsecor.exe 4036 omsecor.exe 4468 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4004 wrote to memory of 116 4004 3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe 83 PID 4004 wrote to memory of 116 4004 3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe 83 PID 4004 wrote to memory of 116 4004 3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe 83 PID 116 wrote to memory of 4036 116 omsecor.exe 101 PID 116 wrote to memory of 4036 116 omsecor.exe 101 PID 116 wrote to memory of 4036 116 omsecor.exe 101 PID 4036 wrote to memory of 4468 4036 omsecor.exe 102 PID 4036 wrote to memory of 4468 4036 omsecor.exe 102 PID 4036 wrote to memory of 4468 4036 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe"C:\Users\Admin\AppData\Local\Temp\3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4468
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5e3b056b70d4d0fb544150155000df78e
SHA175c6a8dbbd94521edffdd50e5ab0ca4cd8b6fff1
SHA2562a854b1408f255eefe47a069f8132194f30816b6d581d17ac1102b550131f91a
SHA5124796877739cd3726cbeaf5964bfbc0f6d6d666dccb97df311652320561c9ecc28a12fa08b4ecc79b393da9f1897a8aa5e28be370a3236287190fda33a7540b79
-
Filesize
80KB
MD523e42895f0db5c89981ac2edf831e744
SHA15375a785af0a2a942afc562e62eb14c2c7166ded
SHA256f8d89a95f7040300401ce5d1a7d297e7ba713d4a9af7fc163a9ddece95d14e4c
SHA512661a0cab5c9b48f1db82b8c21fad8904fd2e9b3cd5955e384d8f4693ea9305d7adef424caa9c5ccda606b25a8232f63ced2fb465232f8a0900464f92cd0efb9f
-
Filesize
80KB
MD5ac5670f4ed8d7470cb5f10d0e143d361
SHA16e87650ee0c8a94bc059f3cd855935a42e13de69
SHA256fc47b55077159360905004dbd7c0f0b02065e1b3fd4981ab2ee8df179e7811fa
SHA512a4b1699fda60816ea4e1d4712686d99569e0ee5ac4381f5ca365d8d56fbba648381c18e8e3930cb22648f34512aba30ba348642d760d8089dd874aad6da5254c