Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 11:32
Behavioral task
behavioral1
Sample
fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe
Resource
win7-20240903-en
General
-
Target
fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe
-
Size
71KB
-
MD5
313ec61c311f87ef3513914163905a08
-
SHA1
74fde2d922688492f12d0c91839021ae9b5b7c37
-
SHA256
fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14
-
SHA512
f4303ae873e2449b6043b65252e8c764687d61852278ba19ac63c4384eb507a16374f67d6e1c675ba7ac34a2e921af063918deb37f36b8ba0121805720679219
-
SSDEEP
1536:Kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHP:KdseIOMEZEyFjEOFqTiQmQDHIbHP
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 1364 omsecor.exe 3632 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4972 wrote to memory of 1364 4972 fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe 83 PID 4972 wrote to memory of 1364 4972 fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe 83 PID 4972 wrote to memory of 1364 4972 fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe 83 PID 1364 wrote to memory of 3632 1364 omsecor.exe 100 PID 1364 wrote to memory of 3632 1364 omsecor.exe 100 PID 1364 wrote to memory of 3632 1364 omsecor.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe"C:\Users\Admin\AppData\Local\Temp\fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3632
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD58522e285a5a2fb0a15854913271975e2
SHA16389ba9a271aba9be85b495d1a7dd71c0720d2ff
SHA2565a74886b44ec251baa92861bb51d265ce48dc712b11426e707cbf71e898033b4
SHA51267cb120a5e1b9082c2de2b07e90fca72189156d1f53dae3a0114816dcb3582ded94172500a90e8723f878f42c3240422cfd7873d2f5497197ee512ab32c85114
-
Filesize
71KB
MD55c07e5bbf4f7bcff6ae7e1aa7751f933
SHA1b498db4ef6d75bba4a38442c238efd65f6826b5f
SHA256ec29a9b525e0080babc0be0194cf43f48f56a594e650e155651034589a35c289
SHA51296d7ad6bbf4b88887d5c5daeb5764b4be5281589c2b47248cccdd0c7dfaf3d6a6ab6aed01d9f42318a8512898b8f247e877248d229b9563e31e067f963f64482