Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/12/2024, 23:15
Behavioral task
behavioral1
Sample
315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe
Resource
win7-20240903-en
General
-
Target
315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe
-
Size
80KB
-
MD5
4cac4da6513b2494ea90fea579d6c2a8
-
SHA1
0edede44656cabc718bc91805f135563d7b6f452
-
SHA256
315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d
-
SHA512
ec0d57d1baa87dde2cbfa37472dc961980691a278d147f005544e2cfaab710a633fdf01a1f65b169ff06f7faa74a2038343434ff43d23e0259cef5d8abf42144
-
SSDEEP
1536:Wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzr:udseIOMEZEyFjEOFqTiQmOl/5xPvwv
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2396 omsecor.exe 2484 omsecor.exe 2304 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2440 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe 2440 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe 2396 omsecor.exe 2396 omsecor.exe 2484 omsecor.exe 2484 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2396 2440 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe 28 PID 2440 wrote to memory of 2396 2440 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe 28 PID 2440 wrote to memory of 2396 2440 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe 28 PID 2440 wrote to memory of 2396 2440 315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe 28 PID 2396 wrote to memory of 2484 2396 omsecor.exe 32 PID 2396 wrote to memory of 2484 2396 omsecor.exe 32 PID 2396 wrote to memory of 2484 2396 omsecor.exe 32 PID 2396 wrote to memory of 2484 2396 omsecor.exe 32 PID 2484 wrote to memory of 2304 2484 omsecor.exe 33 PID 2484 wrote to memory of 2304 2484 omsecor.exe 33 PID 2484 wrote to memory of 2304 2484 omsecor.exe 33 PID 2484 wrote to memory of 2304 2484 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe"C:\Users\Admin\AppData\Local\Temp\315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5829f0322839e78ded1df12fe0335527f
SHA17877c149c9ff6792cd4c0cfbbfaf4897dc72a465
SHA25621f4612a0adb5307edac6542ed828a6a0b5b76b41ced4bd74f1a9fa914a5822a
SHA512add7189d16d66391416348569ef232761c44ee9bcf81a58f52e944d0dbbb38f937a9a0d9213deddfda27616c3f160d4dac64a9cc1d5dc783581feb45c27676cd
-
Filesize
80KB
MD579127e8972251ca0ecd35ac7bf1643f5
SHA110e26002f133ead23d634b7c38801efd8ed11255
SHA256b02ddfb47b550577d6934a41b7ae09cca0eb8bb3f17e7a827dd9c87e3ec4d14e
SHA512f939919be84fb5f6b5f55fd530d7c98a70bcea970dec653ce21983b2a76e982031c178022068699d4c1203d36119692cb1dac2e8652eb8db1df45f03b7accd6b
-
Filesize
80KB
MD5232efd73fb1e4a9b038b5b061f1fd9a1
SHA173ae8f3082e540413f7710030396b7c25ffcb235
SHA2562c34756a08e4440790bcea474e5e4f7bf7f3e98d5c225a80c9d46c81b91afc4f
SHA51209df689f4de2c5a7ef786e302facc4c26ba2e207fca4cd19d5928b4fb3e7b9ed59678b3922623ca2976d411e1457a7e167a054beefe270f0e8c59d440e1d1da2