Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 15:07
Behavioral task
behavioral1
Sample
fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
Resource
win7-20241010-en
General
-
Target
fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
-
Size
80KB
-
MD5
b1f8acd97175c71200908ec76ccf7906
-
SHA1
6c276b3aa94849880068b9f1c25490cc4e9e7152
-
SHA256
fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe
-
SHA512
489d8d4f949677a5784035d297561d883c7260492247504c107918847b49d02fdea5cf1b553dabb7ba163d1108fb4c93e12253d03ca58582268308ada1dc4c9c
-
SSDEEP
768:tfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAO:tfbIvYvZEyFKF6N4yS+AQmZTl/5m
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4772 omsecor.exe 3000 omsecor.exe 1912 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2928 wrote to memory of 4772 2928 fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe 83 PID 2928 wrote to memory of 4772 2928 fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe 83 PID 2928 wrote to memory of 4772 2928 fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe 83 PID 4772 wrote to memory of 3000 4772 omsecor.exe 100 PID 4772 wrote to memory of 3000 4772 omsecor.exe 100 PID 4772 wrote to memory of 3000 4772 omsecor.exe 100 PID 3000 wrote to memory of 1912 3000 omsecor.exe 101 PID 3000 wrote to memory of 1912 3000 omsecor.exe 101 PID 3000 wrote to memory of 1912 3000 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe"C:\Users\Admin\AppData\Local\Temp\fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5d7e912cd743b0bd5519d91debc0fc60c
SHA13f8d71605c781afd0336e98cb243ff9662ab4b8e
SHA256cd1961b57e562b8b8f5d9cd0d76bb72b3c29879fee45c4fb5b21f1c95aa572d1
SHA512c4af01cfb02b7bc12bede6e2a769c3137351fe3474a8d63c55ff3dde0d2abe5d729bd2c34d1a53a07ca1827a5218b1754a9b899041147e1b7c2930c9127f9da5
-
Filesize
80KB
MD5f769355d1e6c412d80086fdd3d4e3295
SHA1f68bd478681f304b660ac64814dc4a2434507d5d
SHA2564930fa8fc38453eb9cd216b34e294a61b37e1598745aa67c709f0489e1b8f4c2
SHA5124aeca2c79b16a93860b1d2f997c810181dd53d9ed4c600454c5a01ba4eaefc53aeeba25efda4d779f00dcdfea4f91d6097f912bf7a897ba8af707626787fa565
-
Filesize
80KB
MD5c9f042ed5c9f6cd666493690e22944c0
SHA171c5fc743f1080cab8ae4e5d1ba14654e432c2f8
SHA2569c9c75bc37c8dd6ad611c20c726dc724446cf09d7ea134f1dfa3eb33ac0647f1
SHA5123328439af74c229a31ac5ef4bc1a733c6e32078f4179e2e6fb24c92e613e24031b75dfe0432093b98a7a7dc45bbc47edb29fafad845ff25416f68d5cdf3fc3eb