Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 23:15
Behavioral task
behavioral1
Sample
315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe
Resource
win7-20240903-en
General
-
Target
315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe
-
Size
80KB
-
MD5
4cac4da6513b2494ea90fea579d6c2a8
-
SHA1
0edede44656cabc718bc91805f135563d7b6f452
-
SHA256
315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d
-
SHA512
ec0d57d1baa87dde2cbfa37472dc961980691a278d147f005544e2cfaab710a633fdf01a1f65b169ff06f7faa74a2038343434ff43d23e0259cef5d8abf42144
-
SSDEEP
1536:Wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzr:udseIOMEZEyFjEOFqTiQmOl/5xPvwv
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 5008 omsecor.exe 2264 omsecor.exe 380 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4572 wrote to memory of 5008 4572 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe 83 PID 4572 wrote to memory of 5008 4572 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe 83 PID 4572 wrote to memory of 5008 4572 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe 83 PID 5008 wrote to memory of 2264 5008 omsecor.exe 102 PID 5008 wrote to memory of 2264 5008 omsecor.exe 102 PID 5008 wrote to memory of 2264 5008 omsecor.exe 102 PID 2264 wrote to memory of 380 2264 omsecor.exe 103 PID 2264 wrote to memory of 380 2264 omsecor.exe 103 PID 2264 wrote to memory of 380 2264 omsecor.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe"C:\Users\Admin\AppData\Local\Temp\315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:380
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5829f0322839e78ded1df12fe0335527f
SHA17877c149c9ff6792cd4c0cfbbfaf4897dc72a465
SHA25621f4612a0adb5307edac6542ed828a6a0b5b76b41ced4bd74f1a9fa914a5822a
SHA512add7189d16d66391416348569ef232761c44ee9bcf81a58f52e944d0dbbb38f937a9a0d9213deddfda27616c3f160d4dac64a9cc1d5dc783581feb45c27676cd
-
Filesize
80KB
MD5eee91782497f7f31e10749ceef31464b
SHA1490b7fa7de48b286522f27e57b55daf14b97a6b7
SHA256dc0aca5d8277d317637a1f2c810ff69ceb2581ed0e8a58fc48da9733f3cd89f5
SHA512cbbd41668b675d24d2bd47d24a527af2825834e72004d5911e7007c9cd640ed49ac28799b46c9ccc461fe656459c92169955a5d5478411b3d8a6091964b03e02
-
Filesize
80KB
MD5dd482cc98f54a77c0ec0819e02b04714
SHA1cd59e1f55b44263fd264b344962b54ef4441e59c
SHA256bfca5d9d920e9fbb57d4891dc92d6a8f72bbc8e6d28ea44a3552408e2bac26d4
SHA512fc3cdc955432e8334f31bb62e647d4993c0dae5879fcda4360351614326881b2aefb6528f54536e8a1cffe48b34b91e9418c93f23e0a62eb8a4cbc452cef9ad6