Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 17:28
Behavioral task
behavioral1
Sample
9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe
Resource
win7-20241010-en
General
-
Target
9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe
-
Size
89KB
-
MD5
5a33e3253691cc6f38e096c9d378bca7
-
SHA1
ca893cc11e1ac841f5a9e30e586dbb27e62ca08b
-
SHA256
9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74
-
SHA512
555efd1af8e049111b8f0748f7faa0664fcb73c2f24914869b3598a0194ca73994ab7b110679a90ebbbd299c66da3d65cf2e296c415ae9a711f83315eca8b748
-
SSDEEP
768:pMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAV:pbIvYvZEyFKF6N4yS+AQmZTl/59
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1976 omsecor.exe 4556 omsecor.exe 4508 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2808 wrote to memory of 1976 2808 9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe 83 PID 2808 wrote to memory of 1976 2808 9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe 83 PID 2808 wrote to memory of 1976 2808 9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe 83 PID 1976 wrote to memory of 4556 1976 omsecor.exe 100 PID 1976 wrote to memory of 4556 1976 omsecor.exe 100 PID 1976 wrote to memory of 4556 1976 omsecor.exe 100 PID 4556 wrote to memory of 4508 4556 omsecor.exe 101 PID 4556 wrote to memory of 4508 4556 omsecor.exe 101 PID 4556 wrote to memory of 4508 4556 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe"C:\Users\Admin\AppData\Local\Temp\9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4508
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5fc6f0a0ace7f781105b34b94d6ccf3f9
SHA1da12cb53f094a05a28bf858752052119b9fdee96
SHA2569cbaf7508df962d10fae54b08ca63637ef619bbce11b514221177c4ebe9058a1
SHA512e0372e6ea69d21c203c8d4a16f85f21845614830bbe600305dc9dcf6a87e1cdb57f41c0367d3561697b7b47bb14af07330fb379129f05dd90d6055096a802e53
-
Filesize
89KB
MD5953b5dcbee95440d38892ee7f4c84e50
SHA1bad61f40f24102dc184116dbe839547816ba020f
SHA256f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22
SHA5125e9ffe005d1e3e383d9a6fc1b9892d734bd7a6ecc38b983a2136aed43aab1a0f754e277b1b66876056925fdd6b584b545ccddb5a0fe9bc1ac7b2b1a89becd0c4
-
Filesize
89KB
MD5cc2f8ef9ea3f85f5af7418125f3a27cd
SHA1c1b8f6a6a20786683542da94005db1b70fdbcc04
SHA2562dcb0e4459567d2ec3b75dceccad64b5da94a6b18256b4c00ceff30c522d0932
SHA5129e825ce374f555d7988f9ae1c402e4551ed86e86f4553d1ccefb454be66941c215c751dddff522d4aeb2e2ff411626a28173f2ea0669f031733832bd671fd0f2