Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 22:35
Behavioral task
behavioral1
Sample
690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe
Resource
win7-20240508-en
General
-
Target
690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe
-
Size
72KB
-
MD5
a592b40a82d919681b39f6371ac937e7
-
SHA1
9859ba60b97cf5509154cfcafbf3a41bdfebbbc4
-
SHA256
690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703
-
SHA512
24c972c79e3068411e1d7205ec0f16b8a75a2b9f7dd9fc0f31f6cb4f6a8beb123b1f427c20bf12e44440aabe6c0c0a79cd567406c389953eb6f709e3526fa399
-
SSDEEP
768:iMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:ibIvYvZEyFKF6N4yS+AQmZTl/5O
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2236 omsecor.exe 2852 omsecor.exe 2556 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2256 690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe 2256 690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe 2236 omsecor.exe 2236 omsecor.exe 2852 omsecor.exe 2852 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2236 2256 690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe 28 PID 2256 wrote to memory of 2236 2256 690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe 28 PID 2256 wrote to memory of 2236 2256 690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe 28 PID 2256 wrote to memory of 2236 2256 690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe 28 PID 2236 wrote to memory of 2852 2236 omsecor.exe 32 PID 2236 wrote to memory of 2852 2236 omsecor.exe 32 PID 2236 wrote to memory of 2852 2236 omsecor.exe 32 PID 2236 wrote to memory of 2852 2236 omsecor.exe 32 PID 2852 wrote to memory of 2556 2852 omsecor.exe 33 PID 2852 wrote to memory of 2556 2852 omsecor.exe 33 PID 2852 wrote to memory of 2556 2852 omsecor.exe 33 PID 2852 wrote to memory of 2556 2852 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe"C:\Users\Admin\AppData\Local\Temp\690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2556
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5298f434e7bed71dcb00b9e903c8ab34f
SHA1def2c0cc1cd2dd7a33cd3c3cff098362d9fea2a3
SHA2567f6329ace69938e3dd7e98c3eaedfb663720fe113ceb69dd8f60536edd6ccc21
SHA5122978c96da2394611b244dab1240802658bcc8b8f7422ccce5fe2cd6e6a96ffaabf86b80b93a3e57b5d44360853ca431047a5b1b7f44a7166e6934b29960eb1bd
-
Filesize
72KB
MD55efdf5d072a8f3fb6927cbde92880a75
SHA1c9b7d3792dd0d0a41d7405b83937cfafabd83ab2
SHA25623a9e558240f59da33de3d21673dc0051fa4b8c14f5988ed4a16afb8d89c8253
SHA512efcbac29cf06de3c610ba0597a96e7399a7ad02b31c7247e5b9d5a29a39166a17b5a8258a70a131aa5ce2645918185f10d3835cfcda09ca75d6105ea6c6a7e9e
-
Filesize
72KB
MD545219d09b46f5820e9e26b1ad7e5b4e8
SHA1423ce46efa3e03716dc5ec0f9257973867d007db
SHA2561ff94d03ba50776d263391bff5c69e2e3d3bd208bfb5ebb0cef999de7c7934fc
SHA5128d5f7e5e6f309bc2dc92c143314be5d4782b2288c997de6e6504f603c524e736e40740787b434210ecd3ebb686e80b56cb27c018cc337258b3c3753c9f89d7bc