Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 16:55
Behavioral task
behavioral1
Sample
a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe
Resource
win7-20240903-en
General
-
Target
a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe
-
Size
88KB
-
MD5
3f55b3190b0c45b83dc48b7112da87cc
-
SHA1
17708d2217db6973e7e54c2bc2d578b47090b8f6
-
SHA256
a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18
-
SHA512
e7823ed80f3654102b6e6ab904fa9636696083ad76fb4e28cfdb667113a3d94aa36de9b685704323a1f66b8f00b8d361fc1beca411545f90c971a34c76c202ef
-
SSDEEP
1536:nd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5T:PdseIOMEZEyFjEOFqTiQm5l/5T
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 956 omsecor.exe 4344 omsecor.exe 628 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4560 wrote to memory of 956 4560 a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe 82 PID 4560 wrote to memory of 956 4560 a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe 82 PID 4560 wrote to memory of 956 4560 a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe 82 PID 956 wrote to memory of 4344 956 omsecor.exe 92 PID 956 wrote to memory of 4344 956 omsecor.exe 92 PID 956 wrote to memory of 4344 956 omsecor.exe 92 PID 4344 wrote to memory of 628 4344 omsecor.exe 93 PID 4344 wrote to memory of 628 4344 omsecor.exe 93 PID 4344 wrote to memory of 628 4344 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe"C:\Users\Admin\AppData\Local\Temp\a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:628
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD59143eb3b9573b4d4d62eeab4964e1b81
SHA1cfb092f9109c3e122c6942b0dcd176ee99605c1d
SHA25632fd5607450549cbdba8e4c27267b141da10a5fe06a281d0bc381192a5d36883
SHA512c9a1615cce31341875eae3a3a51f8009ce5ea8316ea19a07c83a5ccbe1813f43a624c7e7106ce862a80ad7ec6a6fbb7b708a209f1487355e0b4344b12157ef9b
-
Filesize
88KB
MD513e5c3ebad2622eee988942d10cdf3fe
SHA1ba35c3ad4eb5c11d1d583ea5bcdf968557e121f7
SHA25648aa8c40c858e4a464d909f796582a56f1a857344be32286ef07a2540cb705bb
SHA5120375b1781b9ea645d4aab94d9b302f5574b60f3a203750d1b725b34c9ccec50ac06f9d87bfaa51b4945e1b8d2bb30ea868d7d96ae3ba6a38300918176476c879
-
Filesize
88KB
MD5cca0bf80422261b5afabf0a5c9bebcde
SHA1d53974845f8e468b57e9823d5b3b404975ce4a5d
SHA2560c7995e72074008e8c293bbbf577d4935149fbbc7d2486662817151f15777561
SHA5124ef4a515c1461de86b640b185405c583564e61bc300c18d635d4b181ce87865d00348cf7f869d543cc84e83174235211270f35b1c6ef141363c5d22884fb714e