Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 04:33
Behavioral task
behavioral1
Sample
b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe
Resource
win7-20240729-en
General
-
Target
b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe
-
Size
88KB
-
MD5
a097be328eb9231d136ad6df8ef684b0
-
SHA1
4fcf756ab596072f42f1582f1e9d7c05e5d832a1
-
SHA256
b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89f
-
SHA512
5d6a9b70dd20070edd00ebfc3c6813dab12dcc0ffb4d9866f8c5ae16d51a4698cec78789399723a8a665d0069f9037ca6c17308f67240d602ede9c61dbea8dfd
-
SSDEEP
1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5r:9dseIOMEZEyFjEOFqTiQm5l/5r
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 3836 omsecor.exe 4004 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3896 wrote to memory of 3836 3896 b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe 82 PID 3896 wrote to memory of 3836 3896 b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe 82 PID 3896 wrote to memory of 3836 3896 b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe 82 PID 3836 wrote to memory of 4004 3836 omsecor.exe 92 PID 3836 wrote to memory of 4004 3836 omsecor.exe 92 PID 3836 wrote to memory of 4004 3836 omsecor.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe"C:\Users\Admin\AppData\Local\Temp\b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4004
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5fe87e99998c96f2e97cd55b1eae62b59
SHA1c22ccd06477e93ea6f6d741341256c64c6281519
SHA256b22d4b5bc760bd640c289e08330cda2873c933329fd6fa93dfab411fe98b1673
SHA5128134fa8ebb24c495cf50ce0364b6478c782cf9e5d388342e0743034b28a2d1d20c3ee53a0e98446db5040edf6e537a76771c6eadd223e0895f3911a2208e3b3d
-
Filesize
88KB
MD5ad025a7141d5032ca01bcd21d5daaea7
SHA1a93a6e3426d72e6f7ff434bf3895db0709425084
SHA256bed04fb3c925014a6e75a2f8b953d05888e47c23b4274e467e867100f271ad8e
SHA512eb928553796d8be5eec1761f930cb1ecb509318817449aebfeb213ece76756b8cceab89c62f5a88925c666d394e5890f01eed285091e46128fe239fce28bfd6f