Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 09:56
Behavioral task
behavioral1
Sample
3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe
Resource
win7-20240903-en
General
-
Target
3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe
-
Size
76KB
-
MD5
bedb4810e0fdcac907fc66cdd659ab40
-
SHA1
e14e0d31be41d8c5436d4f1fe1030534d65e1b53
-
SHA256
3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60a
-
SHA512
c4c791fe7139920df90a9c22b0651d35bc80e0f2829df083f366a9337ec8b2fc706e4fa15955b8b41a54a9aaeb85a61da01ffb6fb59792a496005dda3c917e68
-
SSDEEP
1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11T:XdseIOMEZEyFjEOFqaiQm5l/5w11T
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 2300 omsecor.exe 4460 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3352 wrote to memory of 2300 3352 3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe 82 PID 3352 wrote to memory of 2300 3352 3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe 82 PID 3352 wrote to memory of 2300 3352 3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe 82 PID 2300 wrote to memory of 4460 2300 omsecor.exe 92 PID 2300 wrote to memory of 4460 2300 omsecor.exe 92 PID 2300 wrote to memory of 4460 2300 omsecor.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe"C:\Users\Admin\AppData\Local\Temp\3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4460
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5402e67f3b5e8009ecfd54bb3f3ffda2f
SHA1d5aaf50c059edde3b959492308c6c58fde28f9c9
SHA25622b915b62a07e2f53f32b89c489ff030d68e582acaf09da6bc5c0711942507bd
SHA5123cb5f53c8f8eb2ce9e53fc150703c39b80801d39125db334b8d0fa4bd56cdc999b6b86f2aaa2949e04072e4cd402f0fdbc8e2b0ad2a56f8fcea61bb3fa49de4f
-
Filesize
76KB
MD534044f21d648125e96d26b66928be01e
SHA19396276e41681776bfdfb9f1420f7be133456634
SHA256b8d4a29aa6a43eb6c94a3c98e8cf772806b40a18116d4c5e08efda95567fc830
SHA512c2dd3d2e10c159cc7f016a2f6b4318a2bb83a3230fffd8150d4ae12fad225ff9cb9378c6a7fe3f6dd6f7b9e0b7eae943df9b5ea75f7ff459436ab9acf55719c9