Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 02:53
Behavioral task
behavioral1
Sample
42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe
Resource
win7-20241010-en
General
-
Target
42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe
-
Size
88KB
-
MD5
ad189b1ecc0e43a88777dd208ccadb50
-
SHA1
eed594eb3de0728dbc2b4697478eb67e27c6217a
-
SHA256
42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037
-
SHA512
2e4353eb883bc23d3b0b1852234ca01d001e5a54a3b07a8be569209903767d663f77f4f81abfe8bb98fbf32aa282c5d6bcf3607c7867ce4e1959036f83380bf4
-
SSDEEP
1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5R:9dseIOMEZEyFjEOFqTiQm5l/5R
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1736 omsecor.exe 2304 omsecor.exe 4356 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2316 wrote to memory of 1736 2316 42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe 83 PID 2316 wrote to memory of 1736 2316 42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe 83 PID 2316 wrote to memory of 1736 2316 42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe 83 PID 1736 wrote to memory of 2304 1736 omsecor.exe 100 PID 1736 wrote to memory of 2304 1736 omsecor.exe 100 PID 1736 wrote to memory of 2304 1736 omsecor.exe 100 PID 2304 wrote to memory of 4356 2304 omsecor.exe 101 PID 2304 wrote to memory of 4356 2304 omsecor.exe 101 PID 2304 wrote to memory of 4356 2304 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe"C:\Users\Admin\AppData\Local\Temp\42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5bcabe56a5acca18bfe292b932e618f3c
SHA18b1fe6274467abd52d4fb441a34a6d714edad998
SHA256421777723d481e9ec52faec607e10c36d292ebcdc897c48abc0a5795643ef940
SHA512a11d40cc5e7625f01a9a7458be25e1de2ac3c410d930e7b7153a7507e1a51f77948ed09fdf129592b25b2d8e9b5c244f4ca701a57b34a20da57c8e18c7767b8c
-
Filesize
88KB
MD5fa71d1d07e3c0f6f61074e8264242f81
SHA1a4dd38decd0219b81a8c7004224938b759acdac2
SHA256b757e90d0fd4606555ea021eccb65449439e435f2065eb63d604605b6c700985
SHA5125cdec690802dcb863a7463a5be0958b0665f8a6f3959aa0e793ba82560dbf058ff4e664832a3becf66c22576439f755e44a1d88c88d161fc53f27dc02ed84426
-
Filesize
88KB
MD550f4787ef676b0bae155596a6e1281f6
SHA1d49316d8d296c4c03c5f30469d7eae29088afba0
SHA256e9a648996aa75fd2563a67e5ee9d79709c702d637fdce091d61328a252c286da
SHA512b63cffdd081b9dcd2a1cffb5c329b62125dfa7e3762c07e2c2467165c17577d98d7fbfcdcdb3ef2267f9aa545204c43f6253b8f8dab7f4dbac30a5b40caf1f0d