Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 21:37
Behavioral task
behavioral1
Sample
3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
Resource
win7-20241010-en
General
-
Target
3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
-
Size
76KB
-
MD5
a4bc7c45722cf2a4f9a6759b885bad6c
-
SHA1
a7c74bab40d8db95ad9fd9fb30dce5491f257e7f
-
SHA256
3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e
-
SHA512
17eb0bf4e9e3d13652c9fc0484f50a1477f840199b92715d24bf3b21be0bc670619aa64eff2a6f59fb48d25ae1f3d4abdb2fbc96acfaac247be1f9a91fcd30b1
-
SSDEEP
768:O2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW7:/bIvYvZEyFKF6N4yS+AQmZTl/5O7
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 228 omsecor.exe 3488 omsecor.exe 2256 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3108 wrote to memory of 228 3108 3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe 84 PID 3108 wrote to memory of 228 3108 3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe 84 PID 3108 wrote to memory of 228 3108 3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe 84 PID 228 wrote to memory of 3488 228 omsecor.exe 94 PID 228 wrote to memory of 3488 228 omsecor.exe 94 PID 228 wrote to memory of 3488 228 omsecor.exe 94 PID 3488 wrote to memory of 2256 3488 omsecor.exe 95 PID 3488 wrote to memory of 2256 3488 omsecor.exe 95 PID 3488 wrote to memory of 2256 3488 omsecor.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe"C:\Users\Admin\AppData\Local\Temp\3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD558e388ac9367d2739362caec7a761931
SHA14b19d103ccd07fbc56521b0245475f188e73dd01
SHA256bc8ee3d7e0d86633cfcf7f1d394625618d35558b14eb1e43607b367f3c928fab
SHA512fbd907ec6c1395b60ba78d87efa50f72d800f3f71eb473459515edab07ae7cba8441bc784ec642b8c07f689d14d618fa2e30f017688b8adb8e01c21bd8ba87a5
-
Filesize
76KB
MD50339db149beadf21e05483499ed5aff3
SHA1aace77dce9a892c04d3221d57a2d81bd4b6300bc
SHA256aa8e9a6a6435c7e6ab638dc56a87c53c8fed6f20510c96fcbdd490c1ba125e44
SHA512d9ae87870af02f99359e997c399bb8ac0778ac2a6bc855101b9662410307036f1eb8eee53bbb2bff7043094012a50a750bcd2c559e04fb0f27676e10e21a03a4
-
Filesize
76KB
MD59d600b5ae7f08d6bfc185dd73057aa12
SHA15924daffa34bb06a0a7f105fc382e1536623eedd
SHA256c657d6cd17b728d492638d50a5cbe9938d7ab578297d5226571f7a3fc594fb40
SHA5122f0438837222ee77792b968c17a5df9b3e4fb752e5879a63f97909fdd52a9211891ef10a9e05ea8e218011c28e5edafb0db17ce00cdd593abbc07c1b5d9126a0