Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 09:05
Behavioral task
behavioral1
Sample
c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe
Resource
win7-20241010-en
General
-
Target
c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe
-
Size
65KB
-
MD5
d5d05acd29a4225bffef36e3d6fb1ee0
-
SHA1
007d469de21c5a9015762614677e2c8c6893c25b
-
SHA256
c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571d
-
SHA512
f02c620fc9b61d9f503c0bc269c9e2e6d0dfa1bb7436be697a4b0cf0a9df8c824a5afab16deeeb1c623c6c40878ebd8bc90ba81b32855d15cd791233b291293a
-
SSDEEP
1536:4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:IdseIO+EZEyFjEOFqTiQmRHz
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4620 omsecor.exe 1156 omsecor.exe 5116 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 392 wrote to memory of 4620 392 c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe 83 PID 392 wrote to memory of 4620 392 c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe 83 PID 392 wrote to memory of 4620 392 c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe 83 PID 4620 wrote to memory of 1156 4620 omsecor.exe 101 PID 4620 wrote to memory of 1156 4620 omsecor.exe 101 PID 4620 wrote to memory of 1156 4620 omsecor.exe 101 PID 1156 wrote to memory of 5116 1156 omsecor.exe 102 PID 1156 wrote to memory of 5116 1156 omsecor.exe 102 PID 1156 wrote to memory of 5116 1156 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe"C:\Users\Admin\AppData\Local\Temp\c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5582a5979e0d2575f42592497612f6318
SHA1ff3a8a4c5043454f97dff4bf32369f9f822aff93
SHA256906fb940d5b450d14c5ee7f501f9ebac5a72377b534e8659867b84b58660f5e2
SHA5124e55e03dcecf3e3df09cf0944f450924a6370d63a523a6a85506ae66090f81193be6b38630d5016280531ef5b925fbbb848bf39dc0a7b3d6bd2c1ba7256d4ae1
-
Filesize
65KB
MD535004040aa1834520e0517eec19d1afb
SHA1d8f2fa63517fd03b80a095a059dcdd5c3dc4272e
SHA256ab5b15e853e6e20c2a6bed85481cd5f38f2260ab2c18f3d347f86dfb1ccaf8b7
SHA512be122f405a05a06a1b1d442bf1c26ad3d94a164027d219bb551805a0d093f4095caa7a9f36cf2be4c54100559c38c88be47b00f39efa185a693bf9d45d4e583b
-
Filesize
65KB
MD56af131cd1c4ceeaf604283f5d90880f9
SHA11664111a5a5ba8f96ad18eb7c598d75fd0042993
SHA2560c86fb1c5fd3463e51d7fe48e44cb5b5fefff094211850b31c04d88a3c84d9d8
SHA5121b8249ad5cba1333ae725413e87b419078a5bacf41211d09b18e56b8c95f42f52a86a059ccc654015f08e4096990f090f287faa15b5317d55c00aacdaf3a9c96