Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 14:04
Behavioral task
behavioral1
Sample
7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe
Resource
win7-20240903-en
General
-
Target
7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe
-
Size
80KB
-
MD5
142f51eb666fc454a719a3578f06a290
-
SHA1
94b3b550600648890fb33ebf440c3e806ecb4090
-
SHA256
7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077
-
SHA512
ff49f65987b905945529b406dad26b044fd95b2a5f8948a32080f064d1cd531fede8470a2ffd772709e4d14d3b16defd84676c1d90400e27d4b92f34d6753889
-
SSDEEP
1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzr:bdseIOMEZEyFjEOFqTiQmOl/5xPvwv
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 4876 omsecor.exe 1144 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3656 wrote to memory of 4876 3656 7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe 82 PID 3656 wrote to memory of 4876 3656 7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe 82 PID 3656 wrote to memory of 4876 3656 7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe 82 PID 4876 wrote to memory of 1144 4876 omsecor.exe 92 PID 4876 wrote to memory of 1144 4876 omsecor.exe 92 PID 4876 wrote to memory of 1144 4876 omsecor.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe"C:\Users\Admin\AppData\Local\Temp\7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1144
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD58e1163f852d63b0232110e06ad1a21fa
SHA115adaf52ec6662d08369cf6536dc6e9f0d7f878e
SHA256b2d51585811e81f7e0b51a0c0239d0befce45af1475326052f87731cf94e8f37
SHA51221be974b9610bb36bacc29be7eed22dd1702ec55b1d862aba6b3780b3f9b41949cb0b1b1f559d6289a057238873cdb1ca2a313795527c0d21ee30efe475233ec
-
Filesize
80KB
MD55f3bcfa87649167476c8e13dda76c3f4
SHA1247ffda0f24a879e720c8a0ec1579a285212387f
SHA256ef4174e266b70dd4231e378c095339ca25cd8c2e4c6932bfb503f08a5528dbd9
SHA512921b491d4b2d632f9436ba527fe2d153d7377cebd368498edd0f49138982c777a866b4e664f47000890544fcf10fa7eab1b8a9d789c32d12d590d779a7021ebf