Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 04:15
Behavioral task
behavioral1
Sample
b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
Resource
win7-20240903-en
General
-
Target
b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
-
Size
65KB
-
MD5
e4ff0fdaf9755cdf8427bb42af18c3d8
-
SHA1
11ddbf277b764f01345aa299c75224defe885ada
-
SHA256
b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c
-
SHA512
2c7f97f96e3268985e096424f0f4ea568dd70eb2bc2a2f16048e7bb9cdcc63e34f438d41b9da31e3852237012745e5eb6ac264732aadf08c942765f5bb5aa606
-
SSDEEP
1536:Md9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzf:0dseIO+EZEyFjEOFqTiQmRHzf
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2040 omsecor.exe 1968 omsecor.exe 3744 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 972 wrote to memory of 2040 972 b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe 82 PID 972 wrote to memory of 2040 972 b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe 82 PID 972 wrote to memory of 2040 972 b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe 82 PID 2040 wrote to memory of 1968 2040 omsecor.exe 92 PID 2040 wrote to memory of 1968 2040 omsecor.exe 92 PID 2040 wrote to memory of 1968 2040 omsecor.exe 92 PID 1968 wrote to memory of 3744 1968 omsecor.exe 93 PID 1968 wrote to memory of 3744 1968 omsecor.exe 93 PID 1968 wrote to memory of 3744 1968 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe"C:\Users\Admin\AppData\Local\Temp\b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3744
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD539f80e12aad06ead448b2e05688c2bf0
SHA156ddd9a44fb2120b91f9f377e2cac78945465505
SHA256f599898bb6a0ab4f10f482f92d124624f59f2faa6e5d437879ec04a8af2a1d11
SHA51252ff53283f21aa8c6c9aac477b1f753b9f1dd0801eb846bc33367d71900e681ff8e2e3725696985b8f7d5b58700af042073afde3b9a0a06325ae7218dd7b621a
-
Filesize
65KB
MD55f5cfdf7f19818afdf8bdabcd85b28bc
SHA191e29fe3f96f6484cebfe8430788d091b0b438d5
SHA256df4816b0eb7c9235454e1bba0c02737f42c5ce211b5d4b0fa31043fe25ae562d
SHA5126fc29f96cfaddf7f74ab0648b87bc613e29eb94d3c3d1f4845dfc05861911f4d9e914e45640bcdedec54a9c5baa6304273a8a61888b6100ef7a059dd3e39048e
-
Filesize
65KB
MD5aeae2bca8f90409a6700e1f3d79325e9
SHA1b4bd3f1f31f8a981b702cc5e54578900135ea716
SHA256a19fdcc5b777533714832fc4e1f65a728de6ed2bc71ce6d387c9a7414bf86a5e
SHA512c793d2ee1d65303e8eb3f34e03d69f545c747a77dac931c9f965ca46ab218bde6cad90b0d4e7e58ade43828b01b34b89db88a540ed7c291005dfa0637c123de2