Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/12/2024, 10:54
Behavioral task
behavioral1
Sample
ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe
Resource
win7-20240903-en
General
-
Target
ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe
-
Size
88KB
-
MD5
8013414be0202eea820daad9a47690d0
-
SHA1
dd16cf45f1271e0e2bf72f47b532adb9e77218f9
-
SHA256
ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029de
-
SHA512
a41ca4617a02c979565225b1c09ef99bdcec0eecd7bc5659273a8d60f6a0252704cbbf0ead39fda66a3d10a0063d5765240676aefb8f0aa5a022ea0118854ac6
-
SSDEEP
768:xMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:xbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2952 omsecor.exe 2364 omsecor.exe 792 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1708 ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe 1708 ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe 2952 omsecor.exe 2952 omsecor.exe 2364 omsecor.exe 2364 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2952 1708 ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe 31 PID 1708 wrote to memory of 2952 1708 ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe 31 PID 1708 wrote to memory of 2952 1708 ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe 31 PID 1708 wrote to memory of 2952 1708 ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe 31 PID 2952 wrote to memory of 2364 2952 omsecor.exe 34 PID 2952 wrote to memory of 2364 2952 omsecor.exe 34 PID 2952 wrote to memory of 2364 2952 omsecor.exe 34 PID 2952 wrote to memory of 2364 2952 omsecor.exe 34 PID 2364 wrote to memory of 792 2364 omsecor.exe 35 PID 2364 wrote to memory of 792 2364 omsecor.exe 35 PID 2364 wrote to memory of 792 2364 omsecor.exe 35 PID 2364 wrote to memory of 792 2364 omsecor.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe"C:\Users\Admin\AppData\Local\Temp\ab7855559df4da13f5dc13771f0fb61467a40f63ef4f11dcde847cf6f31029deN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:792
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD553a7ebb62fb8bf7f660618e4b1eeee1c
SHA1a68f54c0f140c348e4ab906121743c49f0de6fd2
SHA2562f088cf814b5ba481f6f778fd714b683edb367b4d08e068f1723c8daba0cb4fb
SHA51250d900e6af0bb7b29beb00abee5b704868fab86138dafecc9c10b9554f98c6830eb636f9bb871e6416e2211b85a0dacb1bb5e07e1f404be466216101c7249b1b
-
Filesize
88KB
MD592b79564289c89917b9f926230953ea0
SHA190115c9bd829943db3224729b499d1a8a0565276
SHA2566c26a67b1a77fe2a29fd7df6034e40962d3eada13ae19e99a3ab5fa9fba9e316
SHA5121b4710a57b323254d0eae75e80c5dc3f00c82672037ed0be194c0ee5a6479df6e7b92a331cd66d283a90cf2159a466b24f4f548340ffb3a6de604fb6988d2657
-
Filesize
88KB
MD5e8c490a8d0c6f118e205c82e20cf1593
SHA198482757d058bc7776b91ee3e2ed6f27e74bd498
SHA256178c8e689f9a98b2852579a5459010206f6489848fc2f397e08ba4bb4efa736e
SHA512d9ee71a4fbe76d1ddbe34390356c3ec397345dde91da9fbd5c6be9451642fc0ec3eb74b2b5580212afd93fd8738f0739c5b8c0d0e3c1d7a0e89146c08e1ba4c7