Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 02:37
Behavioral task
behavioral1
Sample
f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
Resource
win7-20240903-en
General
-
Target
f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
-
Size
80KB
-
MD5
ad4435bb25f4a761455cf19cbf6b59cb
-
SHA1
249e6d126522149a5b5d6c2fa1c788fed38943e0
-
SHA256
f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a
-
SHA512
d9f9229dcbf3bc5149028280a0c764538225bb9e83a3f52402def65293b2d2802b6eb8b859fe2487113b03662d323455a52f74bff50040ff59c382ccaa5dff0b
-
SSDEEP
1536:wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzp:wdseIOMEZEyFjEOFqTiQmOl/5xPvw1
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4432 omsecor.exe 3232 omsecor.exe 3160 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2276 wrote to memory of 4432 2276 f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe 83 PID 2276 wrote to memory of 4432 2276 f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe 83 PID 2276 wrote to memory of 4432 2276 f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe 83 PID 4432 wrote to memory of 3232 4432 omsecor.exe 99 PID 4432 wrote to memory of 3232 4432 omsecor.exe 99 PID 4432 wrote to memory of 3232 4432 omsecor.exe 99 PID 3232 wrote to memory of 3160 3232 omsecor.exe 100 PID 3232 wrote to memory of 3160 3232 omsecor.exe 100 PID 3232 wrote to memory of 3160 3232 omsecor.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe"C:\Users\Admin\AppData\Local\Temp\f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3160
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5baccce52005058c533d8afacbafcaaab
SHA1db4caf5c60ea844842ff6be68723d9e8f390969f
SHA2563dab5e36682bf7ed8876080b20f9232b43efcf0051b4612a93c7bd43a804a9c5
SHA5125f49f56e829b760bdef7d3bdf25fae7f2ed1684cc273cec872a377668e928e47006608321812170ea3e9b2aa6f5484be5d17c4fb48685a3c1166fd2a69942c60
-
Filesize
80KB
MD535e41059f24b43b24796a6bbee1700c8
SHA1ca179cb5f7eacc1352be79b5f85abdba1651052f
SHA25609931456a13261ba5211a89c8c418dc2a705037219d5e7dbbf9f476fe96ef9f2
SHA51292159a744ea8f97dce8a221a6ed489d0896c4aa5cf4a282a4f492de7c935ad2d192efc0de3c959468f08da937559716d7509c95736b733c1926a2401baffed88
-
Filesize
80KB
MD5d0524761d07b233b488e03798895a4a6
SHA19473b1ee5b2e4fc699c3359841410fa3ea187b53
SHA256a923c5365830231cade0a6d854e41f3431c15fb63ea8a4edc7df98b78a967cd6
SHA512e6cb773e4d0dc553239920a6fadf37e34ef15f964fd5e5c95f0097cf0534b83ebe5d2be1e9de43933d7c7a076c6834b250c875442dd6845c6c00538596c829cf