Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe
Resource
win7-20240708-en
General
-
Target
13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe
-
Size
33KB
-
MD5
287dd909d7d485c2f7937951e4fb2050
-
SHA1
3e3ae817e27459a7de49a12b750a403539335b32
-
SHA256
13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cb
-
SHA512
9c97fe1336bd377dd67f18f65a087941c1308feb1037b0e1e63c1aea868bca64df944c0c3d53c72e5c9252f0fb6492f423d2d32b8673b23984defdcf90729bb9
-
SSDEEP
768:3fVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:3fVRztyHo8QNHTk0qE5fslvN/956q
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 3604 omsecor.exe 1284 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4268 wrote to memory of 3604 4268 13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe 82 PID 4268 wrote to memory of 3604 4268 13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe 82 PID 4268 wrote to memory of 3604 4268 13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe 82 PID 3604 wrote to memory of 1284 3604 omsecor.exe 92 PID 3604 wrote to memory of 1284 3604 omsecor.exe 92 PID 3604 wrote to memory of 1284 3604 omsecor.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe"C:\Users\Admin\AppData\Local\Temp\13e8bd17860c7a617c2f67fa5af6bf1e69d21006020bbc7b60fe8c94e74d08cbN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1284
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD575088bcfb8598df01e051afa17b7329a
SHA1108d0c2a5d84d296b2c35804e9cd46c79288d82c
SHA25693303728b047b2c6f9c29d220e5bfcfe1ca433ae69870e4077445a6daacc386b
SHA512d2f7049883a951ffaff9f660254b52e59cc33afd77b0d99c90a60d38d506f7377b366ce033a824666ab62fea1f55e5f47ef6d61643588c559eeb139efc9f6959
-
Filesize
33KB
MD5185d1763299ea252be333dc90cfbb6ab
SHA1d1ebf3db262bbafc18208465f150767f05cc0d1b
SHA256459e121250359b812684d96b2cd245129aa482639cc52e6dee61956f73ac14e9
SHA51227858cfaaac6983c6f7437408cc00198325ecd91a8ca803dc929dc0f85a761748c8d79dfbdc5abd88edf8cb444f8d3da52f8201b82a28537bd6a2f77877336d2