Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 00:08
Behavioral task
behavioral1
Sample
5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
Resource
win7-20241010-en
General
-
Target
5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
-
Size
80KB
-
MD5
f97587f7b361193b7db0db38ad4fb970
-
SHA1
584034a137030cfcee780ef8835c5d7de588e081
-
SHA256
5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47
-
SHA512
157bd41c8dd5160f3270a02de352136f15368e632cd08573753dc0a81d3eb2179696e8f5daef7cff15735e0ad7a325ba567a9e4f6ff54befe3ebfc9d8457ccf9
-
SSDEEP
1536:0d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:MdseIOMEZEyFjEOFqTiQmOl/5xPvwN
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4580 omsecor.exe 3528 omsecor.exe 4940 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 532 wrote to memory of 4580 532 5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe 83 PID 532 wrote to memory of 4580 532 5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe 83 PID 532 wrote to memory of 4580 532 5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe 83 PID 4580 wrote to memory of 3528 4580 omsecor.exe 100 PID 4580 wrote to memory of 3528 4580 omsecor.exe 100 PID 4580 wrote to memory of 3528 4580 omsecor.exe 100 PID 3528 wrote to memory of 4940 3528 omsecor.exe 101 PID 3528 wrote to memory of 4940 3528 omsecor.exe 101 PID 3528 wrote to memory of 4940 3528 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe"C:\Users\Admin\AppData\Local\Temp\5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4940
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD590f2ef9de6df1ffb936d2197a1bce4a0
SHA1f927998855e78738d4ec9675fb96355e0f8fc3ee
SHA25654337ea42b44fd8bd5720c6b4c2efc27b6505fcf629fb3174231a2513ed511ae
SHA5129bb14e047c1592ccf287d1deb68ea2bb7c452e404fea9d9ca41a50a3a52c88080f8921c429c6eba0804185980f2fdf76497742ac8207e53b5a7acd63b30fe2c6
-
Filesize
80KB
MD577747f222cd5cf4ebe7b1fb987aa71cb
SHA1280957e938ce3b4cad37ed83178a19723d7f4d8a
SHA256489db48d37861cd49820a03e80195a23c6fbfacc3ab3f78787cfe1b8dd3d4445
SHA51269480b79172d30fea7bc7f51ab174717b912285d41d09a6bb82ad70bd1f7d7797dc90c1b9771e85212071bbdf5fb535d9fa917954eaa2ec23ac9ab4c7d3b1c2c
-
Filesize
80KB
MD57e425608010a6e12fd37818c0ec31edd
SHA12e18d18526ba0f83732b6db3dec0e80ffa09b6cd
SHA256ba6ea32054df7ca4cf61eeb2db1053ad06aed4dd6b45a6f04d19f44f65c2e799
SHA5127b4d33e85574205ba2f418c76b7c508a944fcebda75da6dde438e135138dfbc5580037cd28d27e7c2d82290d3176ca9d8d997cdabac99527a4be43461ba77f03