Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2025, 06:38
Behavioral task
behavioral1
Sample
b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe
Resource
win7-20240903-en
General
-
Target
b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe
-
Size
70KB
-
MD5
b483ab5c9018ea96cb70d2b40c4f8d1e
-
SHA1
5d28d055562b55df9e4d4aa9e87c1a8907598d5d
-
SHA256
b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429
-
SHA512
3acd494d5c4264d186ad246fc7e189102b0b7deaaadcbb38556a618d04fe8bd29d1ef0368c97e05c0992a0f83759ca9fe6e7e6ec1f8b380dd1160388acbc1ace
-
SSDEEP
1536:kd9dseIOcE93bIvYvZEyF4EEOF+N4yS+AQmZsDHNzfE:cdseIOMEZEyFjEOFuTiQm+DHNzfE
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 3456 omsecor.exe 3208 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3656 wrote to memory of 3456 3656 b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe 85 PID 3656 wrote to memory of 3456 3656 b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe 85 PID 3656 wrote to memory of 3456 3656 b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe 85 PID 3456 wrote to memory of 3208 3456 omsecor.exe 102 PID 3456 wrote to memory of 3208 3456 omsecor.exe 102 PID 3456 wrote to memory of 3208 3456 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe"C:\Users\Admin\AppData\Local\Temp\b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3208
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5314f3c09230b1fd02e44991f7a3753d2
SHA10b65552bf6f4fefa40fa09060b1df05e39542680
SHA2569485a470fde4b2b07930258c8b999d1af7e342c6cfabd0b7e55fe6d0793c76a5
SHA5129c8864fb1b798bde20f18a64f859b16a327db44bc5dbf372e1e882db65d4a470b59b1de08a94a7960e57013eaa1df2464a7628e32c6848177dcb7d7e64c364b0
-
Filesize
70KB
MD5192d1b14b74e47bdcecf80a0a7358162
SHA1d601f3784e3fdce7fc0300cb5835b80b20fcb7d1
SHA256d7ccc24d5b966d2e3d7df05241d3b7af4eee1f99536a358241a271be357004df
SHA512cc5866f06d6e6c33224dfb9527e054a06fc1713991656f8f7ab88d38723eeeea3f636e88219ce4cc7876f9d7dc446fe232c6f9bef4045cb92e1b6911961e5bc7