Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 22:06
Behavioral task
behavioral1
Sample
8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe
Resource
win7-20240729-en
General
-
Target
8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe
-
Size
90KB
-
MD5
927c632d19cf1a09d6e9d2b053042f28
-
SHA1
cdbe7a141f9e59ebb085601a0c675fde8322aadc
-
SHA256
8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba
-
SHA512
06ae5c1ae5bc5c91b306252a44bd41ced3b366b845d3836cc789b35df00fad0988338d8116cac3b03d8e93eeb9731e1d8fe3a0911d86a7f15979f35c7c930a90
-
SSDEEP
768:9MEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAK:9bIvYvZEyFKF6N4aS5AQmZTl/5y
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2312 omsecor.exe 2724 omsecor.exe 2672 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1820 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe 1820 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe 2312 omsecor.exe 2312 omsecor.exe 2724 omsecor.exe 2724 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2312 1820 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe 28 PID 1820 wrote to memory of 2312 1820 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe 28 PID 1820 wrote to memory of 2312 1820 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe 28 PID 1820 wrote to memory of 2312 1820 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe 28 PID 2312 wrote to memory of 2724 2312 omsecor.exe 30 PID 2312 wrote to memory of 2724 2312 omsecor.exe 30 PID 2312 wrote to memory of 2724 2312 omsecor.exe 30 PID 2312 wrote to memory of 2724 2312 omsecor.exe 30 PID 2724 wrote to memory of 2672 2724 omsecor.exe 31 PID 2724 wrote to memory of 2672 2724 omsecor.exe 31 PID 2724 wrote to memory of 2672 2724 omsecor.exe 31 PID 2724 wrote to memory of 2672 2724 omsecor.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe"C:\Users\Admin\AppData\Local\Temp\8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5a7c053a1ffd4cf604e65a6857f1ef898
SHA13400ca8ea261d9b51e08492fff0add5f0c430870
SHA25673cdb56cd63bac31a71430f9c68d46f41ec09c1854dfa154d8cb3a5dbc986d07
SHA5123b6070bfd4cd34163592774a89ea6c2e55b4beaeef58af72480b981de477dc546c14f420fe7d4ace521ccc9df3c5112866e60a08b605862d8d475068305cc72d
-
Filesize
90KB
MD50ae805218214279ffefcc54a90beec63
SHA15613e083eebd220d03cffd7c4e5be2bb623b5601
SHA25602ef41d7724f40560fb692600286cf79385a9cdb91d4893918eb478785687116
SHA5123e522e3ce232100eacef5bce2d8d07a38a1ee19f19adfbd880ba0589c6bbf5b0e65e9404390f75f7d3d1cbb124209b45108d5dd2ecc7bf02dc1b61657100e951
-
Filesize
90KB
MD5db265fc22a5a6841b1bd556e5f5942a5
SHA1321e5d5455dac25554b242ab7f6e0264773953ba
SHA256555971dc1f9318e0483fdf9e68208a3883174ed2499554aa9b5bc60bbf5bb08b
SHA5127219e229ea1eea571bf5802c9c38bd71d24fef0e398274732eb4dd8643820cdf69bdbb3a3b762e61490acd33d69af8f6a62aad0f7237409c8f60e3fc9f1610fb