Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/12/2024, 20:52
Behavioral task
behavioral1
Sample
2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe
Resource
win7-20241010-en
General
-
Target
2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe
-
Size
61KB
-
MD5
bae8f8153cca690a28d4f9994d01e1cf
-
SHA1
dd7c227d54c3cd18f78f5311aaf60b63e278b97d
-
SHA256
2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237
-
SHA512
4730e80d64dac2ee3e6697560fbe51a8bbd823f89bd924bc66a02281bff91c451a05d30c313f31e4941f683fcabcde6918f96da0d7a76ccd67fc704048c19707
-
SSDEEP
1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZWl/5n:edseIOMEZEyFjEOFqTiQmUl/5n
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 3976 omsecor.exe 3064 omsecor.exe 4560 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3588 wrote to memory of 3976 3588 2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe 83 PID 3588 wrote to memory of 3976 3588 2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe 83 PID 3588 wrote to memory of 3976 3588 2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe 83 PID 3976 wrote to memory of 3064 3976 omsecor.exe 99 PID 3976 wrote to memory of 3064 3976 omsecor.exe 99 PID 3976 wrote to memory of 3064 3976 omsecor.exe 99 PID 3064 wrote to memory of 4560 3064 omsecor.exe 100 PID 3064 wrote to memory of 4560 3064 omsecor.exe 100 PID 3064 wrote to memory of 4560 3064 omsecor.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe"C:\Users\Admin\AppData\Local\Temp\2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4560
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD575a817e6678b19f376d2eca41a1f52c5
SHA1779c8b102c141172fb6fb6095005ef65253731e0
SHA256bf76638ddd6e10b3d8b378ddeb0d68fdd1589dda0d4935dc0bdc9353d5654eb6
SHA5126e57ded03326e46c3092e52100268c4a283897a04dc2164528214327c2c022c04b51e347a83af76e14b13b50c8b9b4468d5006a7b85e49333ecf0b0a858024d9
-
Filesize
61KB
MD5b1095243c21a2d8437fa46cd1cbb2b15
SHA1b80673cf7fd2ae0d6553c4678008d208244e5091
SHA2566c7854c03c1ffb5c25ccaa0a275c245bc0527bde60d5d71784b0765840bd7e29
SHA512f735b8b6b592b578b6de1053e215f5fb3061d448220f02124957d9d8e5f9d545723db860084794c550d6c8533b018ef0857377b7018fe513b3581d83cb0f5be6
-
Filesize
61KB
MD5a5da81ac5436e509e752ad9347e0dd07
SHA18b196954d0f293679109e514a76c8eda371e35cf
SHA2566208063c06771dadfd93e728f54e4093e35214529ab3255b29b611021c5acc2e
SHA512c2a28aaa46f2914c42666dc923e7a1a60b96843e0e715abfebce049caf6314a9368769a531309aaaf6dfa269f44a4dc88cc156a359f4421349017a2ff4a08b01