Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2024, 22:40
Behavioral task
behavioral1
Sample
7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe
Resource
win7-20241010-en
General
-
Target
7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe
-
Size
76KB
-
MD5
ec8cb84b2c65d0f127c29133297ec8c7
-
SHA1
8fe58ed34a15f30bfa351d1ea6bf01c7cb929496
-
SHA256
7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44
-
SHA512
796e0ebdd0a7488f5bff830a8bf7347feb2497d3d7f1593b65fd6f98343ea3b5c461bccf3dc039e7f9c0a60d28b9aeef2184a85c5852b37892b091821789bba5
-
SSDEEP
768:xMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:xbIvYvZEyFKF6N4yS+AQmZTl/5Ob
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1608 omsecor.exe 4960 omsecor.exe 864 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 716 wrote to memory of 1608 716 7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe 83 PID 716 wrote to memory of 1608 716 7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe 83 PID 716 wrote to memory of 1608 716 7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe 83 PID 1608 wrote to memory of 4960 1608 omsecor.exe 100 PID 1608 wrote to memory of 4960 1608 omsecor.exe 100 PID 1608 wrote to memory of 4960 1608 omsecor.exe 100 PID 4960 wrote to memory of 864 4960 omsecor.exe 101 PID 4960 wrote to memory of 864 4960 omsecor.exe 101 PID 4960 wrote to memory of 864 4960 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe"C:\Users\Admin\AppData\Local\Temp\7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:864
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD51413ff2232be960e0a952939ffd56d50
SHA13e15e41e423c20fecf79d87e420150238a29159c
SHA2569d6bbe17f5488de03f4e2a0ebc929c6f7aef890a17f529219152cc3658cad48c
SHA512f734a8e7966c295ba17a2ccc8c851fdaabd61c601627757b33db999f1fbbe1bd75d2b64856eb1ea249e6c8be9226fc4ff2e6f612af96878667dd6fec89baefe2
-
Filesize
76KB
MD555619170e69d92853a6121a63b0783f2
SHA192e2dd41a5f985e1def9f5b42df4a403d0fbddf1
SHA256f81136835ed8be933f843ef5a22f7d9f3d3c9c890da4f26e4e731d04abae3872
SHA512877c9ab7806aa1ff68c8bc56a1c327ffde11702821077b75129c9e6dc5eea873fa0340de577f35f6f809c040b5714b8eb69bf5e06b60430a5d6d7627de363357
-
Filesize
76KB
MD50aaf16bc4b54a627211fdc63ec3dd132
SHA1f3674e7309e1ad69efd2a67115293799dc608521
SHA2565936345f63a4e14a1ba61f9f4b5154b772b0aad8ae6ce00d483c310908303fbe
SHA512e6c1afd2d16f18884a5448488c9fc8a89b51e987e1d3c31bf0a1d7b85d3983db214726d42ea7f9bf6ef293d301f979ab2e37723d7cee9d527b5bd456c58ec4e0