Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 14:34
Behavioral task
behavioral1
Sample
5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
Resource
win7-20240903-en
General
-
Target
5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
-
Size
71KB
-
MD5
3958deddaef3fe3737c2a7566c3f3800
-
SHA1
051a7a844e9bf717ee161af71333a78115aac3b8
-
SHA256
5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5c
-
SHA512
29c580730edeebabf5b0c49abc058c64b1d2d1fe21f285d0cff4f07c49a43e2efbd0629c89a9a2742f3a16fa1a69cb882605e6e25fbe0f93e6352918d087657f
-
SSDEEP
1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:4dseIOMEZEyFjEOFqTiQmQDHIbH
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1816 omsecor.exe 4496 omsecor.exe 2556 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4712 wrote to memory of 1816 4712 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe 83 PID 4712 wrote to memory of 1816 4712 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe 83 PID 4712 wrote to memory of 1816 4712 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe 83 PID 1816 wrote to memory of 4496 1816 omsecor.exe 93 PID 1816 wrote to memory of 4496 1816 omsecor.exe 93 PID 1816 wrote to memory of 4496 1816 omsecor.exe 93 PID 4496 wrote to memory of 2556 4496 omsecor.exe 94 PID 4496 wrote to memory of 2556 4496 omsecor.exe 94 PID 4496 wrote to memory of 2556 4496 omsecor.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe"C:\Users\Admin\AppData\Local\Temp\5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5ba125ca26d2964c6c6e9d2ceaeefab4f
SHA11aa33ad4f794a6684f3ed994a2437c946a847ee7
SHA2564716a9a047a9ffde52bcec4083314b4dee66510621dcf0c66dd29383754ee0df
SHA5125cd5458b7c77f15fd336f5cf0da2cfa6fab835bbbf2c32b13b0de76da56cb6aad4f9aa8d305a21b811bdfd562d5baedd8765047baadbf697e3d29b318e2f5836
-
Filesize
71KB
MD514609222ad04fd8fcf5d5c9107ee25e0
SHA115f317f2e29c854d53b281f4aa6b2af3e0627352
SHA2560032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3
SHA51276f754cf0d2ed9f3013a81c8ad8189dca0f13955310c0f9cb1a68c656ddb7fb247914a9d2aa10e989c503c2ae658759830ff28bc8765d15a3853cfd5f1138aae
-
Filesize
71KB
MD50060752bc4b2ed2ddb58f8894a43d564
SHA167b4b4c96209c75d9bbdaa8b44e534356a173c7a
SHA2565c2fe80c5b4643366539b50d97297203b725631578dc2a64e3698afa2e312e9f
SHA5126e786ace52844c410c4a6b777b8cddaa728e24e94f00be266d2dde90c5de88d021d7d3f0b3eca2ebb7cd4c198122a113a7bad615058536e6283b29585daaadd0