Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2024, 22:10
Behavioral task
behavioral1
Sample
6ad1e780eaf23d117e9aac7400900fcf19f4fc83f8a64492a0e942886b143af9.exe
Resource
win7-20240903-en
General
-
Target
6ad1e780eaf23d117e9aac7400900fcf19f4fc83f8a64492a0e942886b143af9.exe
-
Size
88KB
-
MD5
f4fc90fbccd049176e76e4ac9470c4ce
-
SHA1
990e169ef96d575880fc9919dbd529a1bb418060
-
SHA256
6ad1e780eaf23d117e9aac7400900fcf19f4fc83f8a64492a0e942886b143af9
-
SHA512
fb986df49e79a46e09af823ffdc2acdea4ec87d163372192183f0083b550e867ce366b910cc2ad4a2ac6f67a20e54595c27317ad133ae52ce71184d55646bdf7
-
SSDEEP
1536:od9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5R:YdseIOMEZEyFjEOFqTiQm5l/5R
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4456 omsecor.exe 1052 omsecor.exe 3584 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ad1e780eaf23d117e9aac7400900fcf19f4fc83f8a64492a0e942886b143af9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3644 wrote to memory of 4456 3644 6ad1e780eaf23d117e9aac7400900fcf19f4fc83f8a64492a0e942886b143af9.exe 82 PID 3644 wrote to memory of 4456 3644 6ad1e780eaf23d117e9aac7400900fcf19f4fc83f8a64492a0e942886b143af9.exe 82 PID 3644 wrote to memory of 4456 3644 6ad1e780eaf23d117e9aac7400900fcf19f4fc83f8a64492a0e942886b143af9.exe 82 PID 4456 wrote to memory of 1052 4456 omsecor.exe 92 PID 4456 wrote to memory of 1052 4456 omsecor.exe 92 PID 4456 wrote to memory of 1052 4456 omsecor.exe 92 PID 1052 wrote to memory of 3584 1052 omsecor.exe 93 PID 1052 wrote to memory of 3584 1052 omsecor.exe 93 PID 1052 wrote to memory of 3584 1052 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ad1e780eaf23d117e9aac7400900fcf19f4fc83f8a64492a0e942886b143af9.exe"C:\Users\Admin\AppData\Local\Temp\6ad1e780eaf23d117e9aac7400900fcf19f4fc83f8a64492a0e942886b143af9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3584
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD562779f41ddc979fa2a1409d7e297e7fa
SHA18f5fac9697209beb8939c2e058f69d348b532377
SHA25635251e4615c91e5be9a328a3202aec4daf637e9104c835424d4a46d86d3d4f90
SHA5128ffdf78dd815f567058c7a72fe9e0aeef83134b3d245fd2264e305d791f5b51f855bbd4ad617c10cc1b4907dd8971be6ac53bbb67b08204e85f687eb2728a0b1
-
Filesize
88KB
MD548891af185479fc1f82a2a9f397a9760
SHA1ee0a085015948917b5aa163dafe85062d236335d
SHA256c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6d
SHA5128e1b450a46d8333287f577840d0bc10317f82fe6bfe0875df0f76c3390615ce95eaa486ad21d83eb5847d09671971991100f5c17e84f4ba4641429dfaeba64c4
-
Filesize
88KB
MD5bcabe56a5acca18bfe292b932e618f3c
SHA18b1fe6274467abd52d4fb441a34a6d714edad998
SHA256421777723d481e9ec52faec607e10c36d292ebcdc897c48abc0a5795643ef940
SHA512a11d40cc5e7625f01a9a7458be25e1de2ac3c410d930e7b7153a7507e1a51f77948ed09fdf129592b25b2d8e9b5c244f4ca701a57b34a20da57c8e18c7767b8c