Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10/12/2024, 00:04
Behavioral task
behavioral1
Sample
a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe
Resource
win7-20241010-en
General
-
Target
a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe
-
Size
90KB
-
MD5
e70979f2cb5eb8e7e410b87a94f5af0b
-
SHA1
51669cacbd1c41b01b99e4bd68f4df34f3747ffe
-
SHA256
a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9
-
SHA512
3dd587df70334707211afe5a5038893971f656ced03a0853366c167c82528522b922a0dd9918df5648f885698ba97efc0e045f39a11883b4f94d0f160a1b17a8
-
SSDEEP
768:+MEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAa:+bIvYvZEyFKF6N4aS5AQmZTl/5i
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2080 omsecor.exe 2008 omsecor.exe 756 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 3064 a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe 3064 a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe 2080 omsecor.exe 2080 omsecor.exe 2008 omsecor.exe 2008 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2080 3064 a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe 30 PID 3064 wrote to memory of 2080 3064 a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe 30 PID 3064 wrote to memory of 2080 3064 a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe 30 PID 3064 wrote to memory of 2080 3064 a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe 30 PID 2080 wrote to memory of 2008 2080 omsecor.exe 33 PID 2080 wrote to memory of 2008 2080 omsecor.exe 33 PID 2080 wrote to memory of 2008 2080 omsecor.exe 33 PID 2080 wrote to memory of 2008 2080 omsecor.exe 33 PID 2008 wrote to memory of 756 2008 omsecor.exe 34 PID 2008 wrote to memory of 756 2008 omsecor.exe 34 PID 2008 wrote to memory of 756 2008 omsecor.exe 34 PID 2008 wrote to memory of 756 2008 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe"C:\Users\Admin\AppData\Local\Temp\a7dd0737bb980e9eed5c06dd9c66e28943fa4e38495c833a7b3241f5c2e603b9.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD549a3d5b73aaca51e079c3025b541725e
SHA1d79371a127acdcbf499e223cba60bec9b3b78768
SHA2565e463e09cbe78e1539c448e5ff444f2449448d03f2133fa25c396f842ddb9d94
SHA512f0cc977834e727f972300ea21ed0edabfb61d1c09a3e354b47bebd6310440fd23792ca5f1c935a96cf5537a79050fd92464e85c546be0a861da770d93dd8109f
-
Filesize
90KB
MD5e7d9f64a32cea5f699a2f92e029e259b
SHA12a19a9b580167988eab0eaeea25f69c3f7c2fd9f
SHA256c93385637ac2e36361be2dcbf8bba832d3b60cf2d45a6fa3e1a3a3ea77897a12
SHA512aa078325c751d07d9caef3e2fcc613bae018f3aef14b15d99ee6a07130e03d6f188fee1400ddd98607c5dd0783823252a2db790971d59ddd8b2c8d708ab5ff8c
-
Filesize
90KB
MD5c252e18055b3301333d1d652fdf528f1
SHA19625672b6de49c7510f9864b6a9d1038fc8d198b
SHA256c5ab0371155d9c79ade06c8a99ba619083c6338de5459a379eed13e2dd984f5a
SHA512aa57a6daa7d6b23f7b0614e049e78cebac7fcca5e8fdf601f9f098b178684905a1db2022cbf327ce23fe92d49087206eeb8b7454ee444ab54c35bca451b12aeb