Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2024, 03:13
Behavioral task
behavioral1
Sample
d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe
Resource
win7-20241010-en
General
-
Target
d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe
-
Size
88KB
-
MD5
c1a8b1d05ae11a59776d46cedaf875bc
-
SHA1
3355665a13d0d85ad329d10918cc433944226db0
-
SHA256
d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0
-
SHA512
661ca0c659bf574985c2fb3e5d8cbd35314e93961ce852738d246040e05686d0b7d1a209fa6d8ebd49b62116ef15dcb67b2c48a920ee5ff9930638844b21a61a
-
SSDEEP
1536:jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5R:DdseIOMEZEyFjEOFqTiQm5l/5R
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1288 omsecor.exe 2088 omsecor.exe 4944 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3872 wrote to memory of 1288 3872 d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe 83 PID 3872 wrote to memory of 1288 3872 d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe 83 PID 3872 wrote to memory of 1288 3872 d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe 83 PID 1288 wrote to memory of 2088 1288 omsecor.exe 100 PID 1288 wrote to memory of 2088 1288 omsecor.exe 100 PID 1288 wrote to memory of 2088 1288 omsecor.exe 100 PID 2088 wrote to memory of 4944 2088 omsecor.exe 101 PID 2088 wrote to memory of 4944 2088 omsecor.exe 101 PID 2088 wrote to memory of 4944 2088 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe"C:\Users\Admin\AppData\Local\Temp\d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4944
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5e4edc0196b9f4ceee2c98ffd6659c2bb
SHA1602823b85bdf4ba72ff6d04e44e80e699118b3bb
SHA256d484cfafc6fd2b371560fbd0c20beb4aa431d96a016d6f60fd3cde25b87f3eb1
SHA512e795dc0c483cb0040f7386c288241d2e1331ee6a4c5249d2838f73e66a46941e6f48bc398f8d84a4660d8604a7b9630a0a699593891410c2811b24a214793827
-
Filesize
88KB
MD5ce2666ebdcfc9296d9556753ec77534d
SHA1f94d662a12aa49409a158313fc22f5398d443630
SHA256f741cafa3c6ae6991676bb12464450371e933e71fa5f21741b1e8bc2dd5679e8
SHA5125d49ff0ab825a86e4e6a89a3e2208c7aa76008223b459fab709fc23ca0aaaf04f8d2a23d4fbf783abb129d1a6eca5070777617007657fe37b30544842d1ec2ee
-
Filesize
88KB
MD595180e4e936f8599a7bc65c831411c92
SHA1be1fc57b48053e414dc648fc7ac66378f9fcef13
SHA2567f39755cba9f41a0e65a834a19926b75015f52a24a9bf4a8a9f2a342c5b3a780
SHA512b9000eccae857d3f6bf425b5db107bb5f80fe8c43ccf2b3f66cc6828c2debbe2c1b0d1d6157badd0df7754eaeb16ace3e463170dc837ef0301dad1a5376102e7