Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 23:56
Behavioral task
behavioral1
Sample
665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
Resource
win7-20240903-en
General
-
Target
665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
-
Size
89KB
-
MD5
8f079325c4c70893a16e983d451acb70
-
SHA1
3c4b83e47fa93b02f0bf42c04a0251a4da6c23b1
-
SHA256
665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6d
-
SHA512
4f7a00d16710af3216e7a9e953e33b8ce280cf0d09a8769d9f78801d36c46bfd488e348e67c9bee4217a43d87e5c62dcdf859706356a3043bc0e84a12a7a5a22
-
SSDEEP
768:JMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA/:JbIvYvZEyFKF6N4yS+AQmZTl/53
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4928 omsecor.exe 2836 omsecor.exe 1752 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 396 wrote to memory of 4928 396 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe 83 PID 396 wrote to memory of 4928 396 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe 83 PID 396 wrote to memory of 4928 396 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe 83 PID 4928 wrote to memory of 2836 4928 omsecor.exe 99 PID 4928 wrote to memory of 2836 4928 omsecor.exe 99 PID 4928 wrote to memory of 2836 4928 omsecor.exe 99 PID 2836 wrote to memory of 1752 2836 omsecor.exe 100 PID 2836 wrote to memory of 1752 2836 omsecor.exe 100 PID 2836 wrote to memory of 1752 2836 omsecor.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe"C:\Users\Admin\AppData\Local\Temp\665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5404d9d59a0e9fb188bc32ec44243c3f7
SHA160f784f4ba8bfbfe5e736459c6090aea308b5d2e
SHA256f93668a4e871a1e7025889c02fedb2f5584845c9e79aec5619943e9283747349
SHA512dacb3626be87587c22255d68d4dc22f2aaa95458b434103c252edac8e191e8ba6faac80ae734ef3946147fddac1ad0acd4bea5876692ff883ee6eb329b57d230
-
Filesize
89KB
MD536335d6d208518e28f1af8e4a063ff57
SHA1957f080cd7cfe3e478b854056546f607b51fab75
SHA25620c85413f71fda26627686a43e67748498ae2d403b8d79efb501af7977d954cc
SHA5121ed06a264140956e3638d75c9a77c32f2d73b3cbde8ec0996102ead4a6adeb0dfda9a095caeacf91c22e17d79d68661106c22e46ac7369572fca7971e0cf5ade
-
Filesize
89KB
MD56ab91b57f2873ffa753a1f276bd346d6
SHA18ebc7ec7fec001f05e1b51ba5a7951f3462de36b
SHA256c7a769c450fda034e4fe7a0c83c62fc391ea6c5db12c39cc4c3af4e3f7ea22e5
SHA5120f1dd8e48a7a4f9aceb4cd2286098e219fe755290e78faaf09fdc3c39dd8d5db96e9e9e33196eeffc3c53e57f6210f0a856cd6cb80515b637040c9acaa15a95a