Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 01:59
Behavioral task
behavioral1
Sample
92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
Resource
win7-20241010-en
General
-
Target
92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
-
Size
90KB
-
MD5
4cfcc2372b0d1cec4ca5cd9de9c37d45
-
SHA1
9296d10dcd3135c5744e32409c2c4b5340d91419
-
SHA256
92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6
-
SHA512
e0832dcc6b19a14e90feeb51d5ac78628294c49d75b1dacb1a68d047680d0919b6e90fd66c85e2a2c3b1abc1b233344ca79e9f07f96e30858c1c87fb929fb671
-
SSDEEP
768:GMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA6:GbIvYvZEyFKF6N4aS5AQmZTl/5C
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4788 omsecor.exe 2964 omsecor.exe 3748 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2052 wrote to memory of 4788 2052 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe 83 PID 2052 wrote to memory of 4788 2052 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe 83 PID 2052 wrote to memory of 4788 2052 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe 83 PID 4788 wrote to memory of 2964 4788 omsecor.exe 101 PID 4788 wrote to memory of 2964 4788 omsecor.exe 101 PID 4788 wrote to memory of 2964 4788 omsecor.exe 101 PID 2964 wrote to memory of 3748 2964 omsecor.exe 102 PID 2964 wrote to memory of 3748 2964 omsecor.exe 102 PID 2964 wrote to memory of 3748 2964 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe"C:\Users\Admin\AppData\Local\Temp\92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5d52fd52d4441f5ee67672390b796c4b6
SHA12443247a601ee381fdf25b181b1ef3318b978b22
SHA256917b3096550cfc7ba281772450566505ef1bc9891a945dfab502a50d538f81c2
SHA512be8ae7acbca2618dd502b4db203c3aedd5ffcc33709f49f7a3d4a4b84b4f258fb85fdb388540c7e05c0be5d4bd8d0c4813cef631824ce5636973016961275ed8
-
Filesize
90KB
MD58dee2d8cae1e243c9808a04cc886c746
SHA1c501945a7d593253b68d2e99063bf5d68fda83b9
SHA256bdc917a2b628176bebdc844a510f84bc568088d971514be7fce9ae29d0f63df9
SHA512bfd3a84e8fa78b0bf440417a15f0a70a4906b7685c9c0efb13f9304db2df6f3edf26690c83cddd90e45c3448f78bd86ca4dd4349f6747d043a03c6fe348c6df6
-
Filesize
90KB
MD59ccf829d4e11196f79c301c95ed497ff
SHA16e8967757e1136364e0c217c1662b1d108225d4e
SHA256182dbbcf3b7a64e0d5dc304d39317958441fe579194445fbe93e0b59bd3c3d91
SHA5125092c0ef600119e866341c0fbfe56a46245ff7c9c611a10ddcaafc1a693543f9a734948fe399867cc40cfc3a8c92452197c3eed2ad73269b460d864b7bf43242