Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 02:09
Behavioral task
behavioral1
Sample
54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
Resource
win7-20240708-en
General
-
Target
54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
-
Size
72KB
-
MD5
6fe48d5c17a51a1e1cdc580929ecf150
-
SHA1
4a9ef6964981bc925abaa5b71acba37ef701dc63
-
SHA256
54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bc
-
SHA512
f6343572658a44f6df4ae82ac8bd0804130baeb5621e3cafa8c6388e52dce08709f569f7aebdb2887c601d0a05a6ae4875d66c9c650e271cfb7c20b6150a3451
-
SSDEEP
1536:Jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211v:JdseIOMEZEyFjEOFqTiQm5l/5211v
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1292 omsecor.exe 2388 omsecor.exe 2188 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4388 wrote to memory of 1292 4388 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe 84 PID 4388 wrote to memory of 1292 4388 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe 84 PID 4388 wrote to memory of 1292 4388 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe 84 PID 1292 wrote to memory of 2388 1292 omsecor.exe 101 PID 1292 wrote to memory of 2388 1292 omsecor.exe 101 PID 1292 wrote to memory of 2388 1292 omsecor.exe 101 PID 2388 wrote to memory of 2188 2388 omsecor.exe 102 PID 2388 wrote to memory of 2188 2388 omsecor.exe 102 PID 2388 wrote to memory of 2188 2388 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe"C:\Users\Admin\AppData\Local\Temp\54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5152aed8fe9f4ce0c6ab30483a9069b09
SHA13892d1629722f5256c46e5f5fc2e979c802a2730
SHA25633edbea54839273e6f70520079996e052cd5406e2ff842869e9dfe10cf55e3ec
SHA512371ea7a38ddbdd57fb43021667093586854f35fb0be59b7a761fe466c5ebdeac9c6bff2af26c8b449729ba52f38d30bb90e4280429a3c5e9175117c5f2b4a965
-
Filesize
72KB
MD5decd33de0b63b67571294e4a88b2cefc
SHA1cf09cb32e9b26448bafb5d3686da73ad5bfcd502
SHA25643d3e2ee9057a7588fb9511092d35a44974c5c54fdf1ff6f23e1d0acfd3231a3
SHA5120d1a5cec2485c107fd84d54fcab534d5288eacc2d5a7c3fad00adfe6a290538486b0263da315a1467217b8506f1887b3360ec114328d67f9eddec7c6562dc117
-
Filesize
72KB
MD5fabca953ed1e1057c8209202d93bae69
SHA16b7aad8e2ea47a8c8fe92c7cbc0a5b3c89070394
SHA256d6eab3c9bcffe6601b19e750719793d1a59dd99219c1d04d54306fc225de5c91
SHA512799acbbf4ccdd7449657816b62142272f162ee0fc0432056c7942e0b52021788ce6ec29ced0dbfb6e30adb26e2eacfe0646a46af5336e281963c56bd8808e0d3