Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 05:02
Behavioral task
behavioral1
Sample
e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe
Resource
win7-20240903-en
General
-
Target
e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe
-
Size
88KB
-
MD5
90da53acc55d7dc094402216130d6fb0
-
SHA1
6514620fb963d50a859dd627c29aaea2dd3c1017
-
SHA256
e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7
-
SHA512
379b1c0cb65f1b2656b995cd4e269dffb06cb6df5cb52bf0f6d5c55d309f68aac36740350968b1fe7afe71c245f2796f67f3e41a189c54aefe41d704745bddba
-
SSDEEP
1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5R:LdseIOMEZEyFjEOFqTiQm5l/5R
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4284 omsecor.exe 2336 omsecor.exe 3780 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3176 wrote to memory of 4284 3176 e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe 85 PID 3176 wrote to memory of 4284 3176 e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe 85 PID 3176 wrote to memory of 4284 3176 e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe 85 PID 4284 wrote to memory of 2336 4284 omsecor.exe 104 PID 4284 wrote to memory of 2336 4284 omsecor.exe 104 PID 4284 wrote to memory of 2336 4284 omsecor.exe 104 PID 2336 wrote to memory of 3780 2336 omsecor.exe 105 PID 2336 wrote to memory of 3780 2336 omsecor.exe 105 PID 2336 wrote to memory of 3780 2336 omsecor.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe"C:\Users\Admin\AppData\Local\Temp\e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3780
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5f777f0ff85e83bb53a8d0365dc588330
SHA1713f6ed0ef4a948668389ebc85b17c5358e5d6fd
SHA25671f9b85c775e8a9526dcdd4feed87e5bb000e76d4271c79336c4de06f278d440
SHA5125351c7320a0cecbcfa1cea26a915bc2d47bfcbe652b4ad87d1ceeec2abcd4704b087f4ac08a463afa350beb0c4996fdbfa4ded5259edbf2f38d6f6a09641828d
-
Filesize
88KB
MD581850f2b6f195e787c5e5aa4b659e592
SHA1f055e0f20f00cdb552db09c769492c1cef33b4cf
SHA256f418bd53decde76f37db315fb74d326c0bc48caeb03918abfdc1edaa66133b88
SHA512c50126d563518c0d2661bb5a2851957bdbe1309a0f5190c148aff11e804e1212914c510813126e77efdadae22a296126035ed28ba60d1dda3ea1f7d86c96e53d
-
Filesize
88KB
MD51d9c9b6ff83108dcafb0c9fee2b803eb
SHA14632582753e17f2c2b46afde85c2bfb502de932f
SHA2565e70ecd8523ae69c8d8453267a49fa609c6d27d3598f9626433fd9ae45b0fab9
SHA512d072430a43270c16058a760a071ad679d5e8ece2d3b3635337e2acf55a7eab9567575ec8730682ad5e1394dab07347629f857ccd097f6867656bed4bdad61e5d