Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
Resource
win7-20240903-en
General
-
Target
49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
-
Size
33KB
-
MD5
493ff34e77901f716fab30569f3128b1
-
SHA1
34306b4a8a27bb745b8dfc769243cc762bd64c9a
-
SHA256
49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4
-
SHA512
16dbef0509ef3b4be44ab3e866b57fc4f782f2b9f280ee7e2bf000275adabe03fe9a7b76a9c7f4372aa7257f04237dfbeef676654fea95518f4bfd100d3b26ba
-
SSDEEP
768:KfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:KfVRztyHo8QNHTk0qE5fslvN/956q
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 448 omsecor.exe 2212 omsecor.exe 2184 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2756 wrote to memory of 448 2756 49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe 82 PID 2756 wrote to memory of 448 2756 49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe 82 PID 2756 wrote to memory of 448 2756 49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe 82 PID 448 wrote to memory of 2212 448 omsecor.exe 92 PID 448 wrote to memory of 2212 448 omsecor.exe 92 PID 448 wrote to memory of 2212 448 omsecor.exe 92 PID 2212 wrote to memory of 2184 2212 omsecor.exe 93 PID 2212 wrote to memory of 2184 2212 omsecor.exe 93 PID 2212 wrote to memory of 2184 2212 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe"C:\Users\Admin\AppData\Local\Temp\49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD529042b787fc7ba8ab359de83a9836119
SHA1036a1efae29053fcc96feb0f2e5f82cc7299d5c8
SHA2561c2dbdcbdd70b4a927d6ac2ab30117a20cafdcaf9cfb00a832d1fee917f869bf
SHA51280006757ef5ce49e8f1bfc62d01ab6b9219b85f34e578238ff3d55d3f4301884491b070e02e8b473f223689ddc59af351f05cc9f9b13f094b869cead44e44206
-
Filesize
33KB
MD5f92fc5e0628606295f6cd606c22117ac
SHA144dc0ffaba50c24431bce011255103c07790c587
SHA2565391afaadd073bee9decab8bfbb45a74dffe284d692c1e74eed880a17b4cc1a5
SHA512aebbd0544743f923f38cb8e1c8592d75e31f4d41ec9a6276937a256e62e85f0d8900a5e04a6d59f9e55b3ad9907b72e4e19c4d94365eb2caf52492b24cc2bd57
-
Filesize
33KB
MD5ab67f219e57e9907f75cd9be17d9e81f
SHA1cdddb9def328a0a5942df44b16e4d915ec4f9f10
SHA256f10566fc010052b0eed8d8fd073649f83f67dffcaf3affb41bfb308ec8bb8278
SHA5122a610f94f34fdf5be2bfb6aceef3f654a46c87274eec2a6a750c8afb30e772f7110e32ca7774c66c2cb545224c858f2aa2054ec3e463d9397cc2dc29a6194429