Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 00:04
Behavioral task
behavioral1
Sample
a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe
Resource
win7-20241010-en
General
-
Target
a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe
-
Size
90KB
-
MD5
e70979f2cb5eb8e7e410b87a94f5af0b
-
SHA1
51669cacbd1c41b01b99e4bd68f4df34f3747ffe
-
SHA256
a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9
-
SHA512
3dd587df70334707211afe5a5038893971f656ced03a0853366c167c82528522b922a0dd9918df5648f885698ba97efc0e045f39a11883b4f94d0f160a1b17a8
-
SSDEEP
768:+MEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAa:+bIvYvZEyFKF6N4aS5AQmZTl/5i
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 4848 omsecor.exe 2648 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2556 wrote to memory of 4848 2556 a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe 85 PID 2556 wrote to memory of 4848 2556 a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe 85 PID 2556 wrote to memory of 4848 2556 a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe 85 PID 4848 wrote to memory of 2648 4848 omsecor.exe 103 PID 4848 wrote to memory of 2648 4848 omsecor.exe 103 PID 4848 wrote to memory of 2648 4848 omsecor.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe"C:\Users\Admin\AppData\Local\Temp\a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2648
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5e7d9f64a32cea5f699a2f92e029e259b
SHA12a19a9b580167988eab0eaeea25f69c3f7c2fd9f
SHA256c93385637ac2e36361be2dcbf8bba832d3b60cf2d45a6fa3e1a3a3ea77897a12
SHA512aa078325c751d07d9caef3e2fcc613bae018f3aef14b15d99ee6a07130e03d6f188fee1400ddd98607c5dd0783823252a2db790971d59ddd8b2c8d708ab5ff8c
-
Filesize
90KB
MD5a98bddc2e150e29eabffc061c1f51d18
SHA16fc2e315e0a257a124a9f4c5c9b7d29fca7c9788
SHA256aa5a897b4ce8f81b0689787c4568f29dfd93d1dca48dd319c7ded08297107ada
SHA512145608e402b325d13db68c0839a6e6902cd19307c19f328175c4882adf62cb885863f088645c39b5e4be3943004574b5a4c078c8678941be7056b68467fe5e10