Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2025, 14:14
Behavioral task
behavioral1
Sample
1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe
Resource
win7-20240729-en
General
-
Target
1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe
-
Size
90KB
-
MD5
58ecb69d1c68c8f3834a96c026fea75c
-
SHA1
10fd25a7d6127caf506d93d03f9203bb78ca5ffe
-
SHA256
1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89
-
SHA512
116bb69fcff1f70d2ace23a90da1b6a1437286f92a6021a09621bcbb45e09ff2ba96d40b10c571186dcba2875582c609578ee43ef0829c45d6cf6f42a93f4e59
-
SSDEEP
768:vMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAe:vbIvYvZEyFKF6N4aS5AQmZTl/52
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 4496 omsecor.exe 4852 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3344 wrote to memory of 4496 3344 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe 83 PID 3344 wrote to memory of 4496 3344 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe 83 PID 3344 wrote to memory of 4496 3344 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe 83 PID 4496 wrote to memory of 4852 4496 omsecor.exe 102 PID 4496 wrote to memory of 4852 4496 omsecor.exe 102 PID 4496 wrote to memory of 4852 4496 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe"C:\Users\Admin\AppData\Local\Temp\1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD54ed3d5856ca1da4accbe0321d43650a2
SHA1fc258cf1a5f67449151524ca5ee534d29b938b35
SHA256d250e9333cdebfa981f332d98336d68d7c55145f042abb6f93f8ca80b19ec266
SHA512e46a4b6fc7007a9c98c7af128058f7359bf6603b47ef87113b2520b34cc0599c06a28f1699e510cccc61b9999a2d543242e07284c8eac61987b708a57c953db8
-
Filesize
90KB
MD56dc1bca589e812b5337641030cf70480
SHA1b545e90588533fafe5b4eaef2616372ec5e0b35a
SHA2562016de4075949bfd6c34daba97aabf85bdf75b568968b3915fe3f54390a74b56
SHA51276c293a0bcfda129cde9b7c4c7ea4caf9b27c0a4481ba00a816f8b49a99227d5098410299f5f15e216bbcd06c5ae9d34275345e9769aeae189f850097d7aaed0