Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2025, 15:35
Behavioral task
behavioral1
Sample
4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe
Resource
win7-20240903-en
General
-
Target
4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe
-
Size
65KB
-
MD5
5a23b0173a338fbb8069cfe77346e970
-
SHA1
7c339674d04175cbf58af4d5399311db4f4b6fd7
-
SHA256
4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2db
-
SHA512
828040bc301948c8164082f75f69240bcdb2ec50ea2af95d22ae189c935e7b1b34a0c21d3d0405dda2c96ad4b56333b2c75b3a90a9ee4ddde0f2918f80808c27
-
SSDEEP
1536:nd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzg:PdseIO+EZEyFjEOFqTiQmRHzg
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 2708 omsecor.exe 3760 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5036 wrote to memory of 2708 5036 4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe 83 PID 5036 wrote to memory of 2708 5036 4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe 83 PID 5036 wrote to memory of 2708 5036 4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe 83 PID 2708 wrote to memory of 3760 2708 omsecor.exe 100 PID 2708 wrote to memory of 3760 2708 omsecor.exe 100 PID 2708 wrote to memory of 3760 2708 omsecor.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe"C:\Users\Admin\AppData\Local\Temp\4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3760
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5e30fc56ea97508fbe4312a8549ab6b73
SHA1c1688892aaee4df32d3db50a0796323ae355bd34
SHA2560733abd1154328bb9bb6e073120f8bef72188e70ad771312b553184aeb4e12f9
SHA51262200212e3f641808d6b9a42756d5215c5fd4536b6eefdef28ef682c36739c00bf9a96933574b599dac64866e81e97a0d690ac9ec912f9c9df397f270aec6441
-
Filesize
65KB
MD54a55bd843fec67972d4abf5a99cd1a7e
SHA142827a7f7990122f6516d927a9b7a23aa844ec3a
SHA2567972192afd86ffb1920e70caf86e3025a2d0bfdee0285e253c932a5a9f42b1b2
SHA512b0c027c8a06e3b7cee94be70af2428f21a23de6b42e413d89be4306e6cdc8a90aebdc68283aa58c3bac024799cd26c3739522135fbfb12966d8a462720ecfdb1