Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 16:19
Behavioral task
behavioral1
Sample
24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe
Resource
win7-20240729-en
General
-
Target
24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe
-
Size
89KB
-
MD5
bbc94aacd015ca2f333cdd6830a88520
-
SHA1
e70f0f5184d16f9094ddb4826be8f2fe85b0c6e2
-
SHA256
24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8
-
SHA512
2300af48bd6e724b2015c12a05ccbe17383d703a109cae0ff68ef1c42fb0ba3b3921006fe5e7594f7467598fcde76f31e135c8f99efb7dcd14528aa610897f78
-
SSDEEP
768:V2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:V2bIvYvZEyFKF6N4yS+AQmZTl/5d
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1972 omsecor.exe 2148 omsecor.exe 2296 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1644 wrote to memory of 1972 1644 24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe 82 PID 1644 wrote to memory of 1972 1644 24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe 82 PID 1644 wrote to memory of 1972 1644 24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe 82 PID 1972 wrote to memory of 2148 1972 omsecor.exe 92 PID 1972 wrote to memory of 2148 1972 omsecor.exe 92 PID 1972 wrote to memory of 2148 1972 omsecor.exe 92 PID 2148 wrote to memory of 2296 2148 omsecor.exe 93 PID 2148 wrote to memory of 2296 2148 omsecor.exe 93 PID 2148 wrote to memory of 2296 2148 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe"C:\Users\Admin\AppData\Local\Temp\24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5bb5aaf0419dbc078daf39c809a1f0951
SHA18cba83d5ce45c4c9942e720d91308a6c33549f97
SHA2561265391da30a5a52fd085b53b70785b6e222a2ab7f9c62c98a7ed6d6474bb0ed
SHA512b523c52ec3c4589a7c357e169898cb8e545f605073b7c2a0b581c250e93fcd2a75b829aa22f3a09fd68d8a7ffe1e523aa3be596e3d9ced3977135ebf9840e9e0
-
Filesize
89KB
MD54670891243830587fb1aeb71ac487a3c
SHA1cfc7735c8c8de308d99bfdbf1463b079d191cc0d
SHA256b9d022ac72b7aed5a718e98ebbfc5839238023c00c30753e45964d556f58bc59
SHA512c90805569d18c3e77f9e627ec8288b0ff1cfe86be59a5be42649c78f332df721f6312e55b9158edfa06110d2b941f63337d9315dc8eae5d929a6ef3aa6b27899
-
Filesize
89KB
MD5161d46118151af5433b078cad651a5c6
SHA1c1161dc31a2788a58d4c6198caa1a58f303b3bb4
SHA256897445698a6a6138b762ea61f440af29325f35459e329411ca6e4a8dc301ac74
SHA512571b5a0c981fe45f143ec1a435047f5bdbae5d41ec11e9d8dd14e47017ec206184c20e8128793c885e529a86f7c5df5303cf5f6c895f587296ef322eb0511ed0