Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 13:13
Behavioral task
behavioral1
Sample
d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe
Resource
win7-20241010-en
General
-
Target
d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe
-
Size
92KB
-
MD5
4e4dbc0d7fa4ec586b9c1ec635942faf
-
SHA1
7977b5c48cb725afa4d7bea9b9bdc0d182c8299f
-
SHA256
d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a
-
SHA512
08533947db74605344113ebf8ea7f160bf59de80a2f4d12df382495d53f70b0c0e44b87e512c5d433b8c30aed35d4da149808306372cd2bb8325c15812d70121
-
SSDEEP
1536:sd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5V:UdseIOyEZEyFjEOFqTiQm5l/5V
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1724 omsecor.exe 4868 omsecor.exe 4116 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2560 wrote to memory of 1724 2560 d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe 82 PID 2560 wrote to memory of 1724 2560 d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe 82 PID 2560 wrote to memory of 1724 2560 d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe 82 PID 1724 wrote to memory of 4868 1724 omsecor.exe 92 PID 1724 wrote to memory of 4868 1724 omsecor.exe 92 PID 1724 wrote to memory of 4868 1724 omsecor.exe 92 PID 4868 wrote to memory of 4116 4868 omsecor.exe 93 PID 4868 wrote to memory of 4116 4868 omsecor.exe 93 PID 4868 wrote to memory of 4116 4868 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe"C:\Users\Admin\AppData\Local\Temp\d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD54f9a20f19fd6a06b7e007f4c87a02b98
SHA1aa6fd84b205fb4ea7380ac8098d965226a40efe1
SHA256af76a3d1e1ea5a3eb2c48cf44424cb6be18972b9715d30761b0916c44dbac69a
SHA512c57433e518efc03bc17323d22d8141a8a283a75bff44917268ba33842662a25c87a4fe4b5e0d7fbc0a2386afc5cd970bcb17928e29a1e021b38eb6aa679af40c
-
Filesize
92KB
MD52311f2c6b6485ec165f981a713d5cc06
SHA1a1b028caf711dee1fd21c0b31f372549b88ea0e0
SHA256bb8b9780732ff626c5a94f4a34c32dfc28f8503594a768df7ed937aa7dbd104e
SHA512ceb18eced48411ba052a5215032caa6c988247b4ef71c1a183272dfe7bd725e5de73b8c98256c17df9ef40ec5d6709104e0ae456a129f52699d7986d410f0074
-
Filesize
92KB
MD5a924d460b85ca51c0698de74a8283763
SHA1598cf73820e86fac7bfab51ddc4d86f118ae3c71
SHA25680ce2a1ef9e3de89acd34525f35d293ef47bee916595498de9971144d4f09576
SHA512430df855eea3c4bde6e63fb4c80c0e9f6ced2858728997105590b7ed8c30730505e5c1fab9427944b207f3213364d72186e6ec39be2654ffa3be98299efc18d9