Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 16:27
Behavioral task
behavioral1
Sample
4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
Resource
win7-20241010-en
General
-
Target
4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
-
Size
65KB
-
MD5
e61c59c5b1a01e9e2a31877ed0d17600
-
SHA1
c8058a611ae1788aa0bbb8ff1559bc3b58b350a7
-
SHA256
4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820
-
SHA512
eadc80af64e8ea5220b76be7e2e99ac15797c009c0878c64959b60ed415e892671122b4c1a101d695b4c776a117cc2997a57b06304b949eb3d4c02408395f8b0
-
SSDEEP
1536:Gd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:+dseIO+EZEyFjEOFqTiQmRHzl
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2208 omsecor.exe 2120 omsecor.exe 1312 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4860 wrote to memory of 2208 4860 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe 82 PID 4860 wrote to memory of 2208 4860 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe 82 PID 4860 wrote to memory of 2208 4860 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe 82 PID 2208 wrote to memory of 2120 2208 omsecor.exe 92 PID 2208 wrote to memory of 2120 2208 omsecor.exe 92 PID 2208 wrote to memory of 2120 2208 omsecor.exe 92 PID 2120 wrote to memory of 1312 2120 omsecor.exe 93 PID 2120 wrote to memory of 1312 2120 omsecor.exe 93 PID 2120 wrote to memory of 1312 2120 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe"C:\Users\Admin\AppData\Local\Temp\4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1312
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5150c5b65d14f19a666995e1e64945ef7
SHA1c1060e938b0f54369fe182a8d3c3194e5508ebfe
SHA256e3b721d70e049bc37c717520135a71d06575988d515ec54efab1b5ebcc20fdc3
SHA512d8def34773ab137300f956b1880d2c95f38b718cddc5300b7c39cea4181b9bf42126768dde3c9df3c3b0ef0a2b78253fc4e2b3a970bc89d4af9d7a7b1d7c5031
-
Filesize
65KB
MD51e84a6e10f2eed342b1e56e1822fb3a7
SHA170f9247a0d69dff58d58fd34ee042e8bcf97f661
SHA256aadbf4a32530e19514963b21ea873d660683e05861b975cc997b40d5b5da223e
SHA512cdbc37ee0e79cc580db2ba3d35c9740e99336d81001ca0fb04606db409a23de103e34b86bd58060b546c36611de97e68325fe23590bafaff0519ae3fb1c35610
-
Filesize
65KB
MD579ceaa6ce8169465f003967cc94189a3
SHA1d4ac30383f29196b18c3f2bd00fd6521182e7cd6
SHA256e865879b40a051a711d044ddec3bbcedeee7a7e1ba886d588b92466b7e2e39d2
SHA512f2518d1812eb76b5071d7e420d3d9da08fad07a8e760eb7da3175aba616f2f3f98713db975cbb46d59f4abb32e565ee958cba3fb858bfd7109777f842318841e