Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 18:17
Behavioral task
behavioral1
Sample
9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe
Resource
win7-20240729-en
General
-
Target
9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe
-
Size
61KB
-
MD5
0ae69dcd82d19b6198b367d47664d750
-
SHA1
2fdcf486e68cfe5f84bcc8ef8f1fc465606b59ec
-
SHA256
9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903
-
SHA512
21a751134ba8eaad85cb87800100a4ba0cc92b89a060efbd276f29d005c9d1ed229389b73cbb18970bb902f47d638fd7d58b5c77de4fe4a31197166a2dd82044
-
SSDEEP
1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZjl/5:kdseIOMEZEyFjEOFqTiQmxl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1984 omsecor.exe 1568 omsecor.exe 1864 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1984 2372 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe 85 PID 2372 wrote to memory of 1984 2372 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe 85 PID 2372 wrote to memory of 1984 2372 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe 85 PID 1984 wrote to memory of 1568 1984 omsecor.exe 103 PID 1984 wrote to memory of 1568 1984 omsecor.exe 103 PID 1984 wrote to memory of 1568 1984 omsecor.exe 103 PID 1568 wrote to memory of 1864 1568 omsecor.exe 104 PID 1568 wrote to memory of 1864 1568 omsecor.exe 104 PID 1568 wrote to memory of 1864 1568 omsecor.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe"C:\Users\Admin\AppData\Local\Temp\9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD59896fc5f795ef4f58e677dc32660b9d0
SHA18657d80ee97eea416e88865bc44aed16979f4f0a
SHA256b849fc623ecec0d3340c914de262b90250fbd1c2d24969064cd6c9e2fc2b4bbf
SHA51267a58cf3acc6a43b9cb94f99a383930763ff57b97810025f6c372b6985acdc20e606d6297e62aa749582336728c0dd7b03d8b8ff8afc8559cbefe6d9ff15b6c6
-
Filesize
61KB
MD5cd48fe3ad3a85f7c74f04d8d2fa05fa8
SHA19b696c4f5e288eec9ab978a6759b7c71a75ffed2
SHA256c9492cf7d9128c374d9946a113951a7c77b2e1c4a8dcca47f5540d184acda7a5
SHA51201f01cb6ccadbaaf583fd0eb573fdbc4f0b7ad4ecc8ec195201dbb9697eee4cc24eb6fc4aa7043b5a0f64803eeee2238c2b3cf59d7610bd1dd740c249d40655a
-
Filesize
61KB
MD5c90b5ffc0f5b2d7237af5426ed4a4cb6
SHA120d98d1a67a911a66f563fc8ca1e6c3023ae06be
SHA25694cc291cf93b90f07b98e6307eda5b6b7962d0f6dc8efbbd02dee7e949ed8d9b
SHA5124bf2bb2443920f25d64eea4658f763b046bfe73070a241431fe9a39fd634d6725ad7f85f68d34e99032efc93a265b69bbd6798aeef23eb66ffcb48c8e4cdb6e8