Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/12/2024, 22:06
Behavioral task
behavioral1
Sample
521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe
Resource
win7-20241010-en
General
-
Target
521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe
-
Size
61KB
-
MD5
587f1c746ca05559da45ca63829d112d
-
SHA1
879d27fad040dd1aacfe9ba47ea83bc73316e284
-
SHA256
521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16
-
SHA512
4692c21f0b55a04460245e3caebee339e736b258b3207cdc98c1d6e6fe80e9296fdd143a17bcc73da584a06ac8a6403773cc83a8a220833c10313b1c23f9c08d
-
SSDEEP
1536:Fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5N:tdseIOMEZEyFjEOFqTiQmil/5N
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4844 omsecor.exe 2440 omsecor.exe 4512 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1752 wrote to memory of 4844 1752 521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe 82 PID 1752 wrote to memory of 4844 1752 521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe 82 PID 1752 wrote to memory of 4844 1752 521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe 82 PID 4844 wrote to memory of 2440 4844 omsecor.exe 92 PID 4844 wrote to memory of 2440 4844 omsecor.exe 92 PID 4844 wrote to memory of 2440 4844 omsecor.exe 92 PID 2440 wrote to memory of 4512 2440 omsecor.exe 93 PID 2440 wrote to memory of 4512 2440 omsecor.exe 93 PID 2440 wrote to memory of 4512 2440 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe"C:\Users\Admin\AppData\Local\Temp\521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e8d9e2099ee46afd92697096e1515d9c
SHA179c62bf362801216debbbb392418c99a79d89388
SHA25693b80bbfebcba602026554e7912f623bead0cd143ffa176c52afe2855b7d97bb
SHA512d93731ac4cd3a215641e64cd718982903740c766a5070f5e16efaab2f3bcabd2d289a44d0f0857dd01835247d2f2b6b2ee9256bf288a495778d18c156ac1a998
-
Filesize
61KB
MD5d30091f295418f77b653e358d229415e
SHA1314a990a5a3d2cc5f845d6ba7518fc2136d909d2
SHA2564c1cabdaf5306eec96a0828e4fda831be6ed18579e6ccfff29a3f1e476bccc69
SHA512039e4aaccf7a56ee00e8c04684d62353609628d499f6bddb059eb79bc940d50d9bde17a7260c1b21161333af0cfc689553cffd5ec08139be5341a31b6b810805
-
Filesize
61KB
MD5b4e80b040e8bf230c3dde36b5402eed5
SHA1ddbdc3dd0d896e4b63966604d5ef3433cb782735
SHA2566997a4775909e346a3e17d9665ad8f40e2c1972ac4fbc325492f805d6cbdc7d6
SHA5123290bb40476a84d79401aad9cdd8ba5bee4f968cce71ae4c0f24cf01db932f4a344609d058c97e9adc08cd1f5de54c5f3e10a26be702ca5f15130053471af2b0