Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/12/2024, 01:59
Behavioral task
behavioral1
Sample
92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
Resource
win7-20241010-en
General
-
Target
92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
-
Size
90KB
-
MD5
4cfcc2372b0d1cec4ca5cd9de9c37d45
-
SHA1
9296d10dcd3135c5744e32409c2c4b5340d91419
-
SHA256
92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6
-
SHA512
e0832dcc6b19a14e90feeb51d5ac78628294c49d75b1dacb1a68d047680d0919b6e90fd66c85e2a2c3b1abc1b233344ca79e9f07f96e30858c1c87fb929fb671
-
SSDEEP
768:GMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA6:GbIvYvZEyFKF6N4aS5AQmZTl/5C
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2360 omsecor.exe 1188 omsecor.exe 2336 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2588 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe 2588 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe 2360 omsecor.exe 2360 omsecor.exe 1188 omsecor.exe 1188 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2360 2588 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe 30 PID 2588 wrote to memory of 2360 2588 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe 30 PID 2588 wrote to memory of 2360 2588 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe 30 PID 2588 wrote to memory of 2360 2588 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe 30 PID 2360 wrote to memory of 1188 2360 omsecor.exe 33 PID 2360 wrote to memory of 1188 2360 omsecor.exe 33 PID 2360 wrote to memory of 1188 2360 omsecor.exe 33 PID 2360 wrote to memory of 1188 2360 omsecor.exe 33 PID 1188 wrote to memory of 2336 1188 omsecor.exe 34 PID 1188 wrote to memory of 2336 1188 omsecor.exe 34 PID 1188 wrote to memory of 2336 1188 omsecor.exe 34 PID 1188 wrote to memory of 2336 1188 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe"C:\Users\Admin\AppData\Local\Temp\92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD58dee2d8cae1e243c9808a04cc886c746
SHA1c501945a7d593253b68d2e99063bf5d68fda83b9
SHA256bdc917a2b628176bebdc844a510f84bc568088d971514be7fce9ae29d0f63df9
SHA512bfd3a84e8fa78b0bf440417a15f0a70a4906b7685c9c0efb13f9304db2df6f3edf26690c83cddd90e45c3448f78bd86ca4dd4349f6747d043a03c6fe348c6df6
-
Filesize
90KB
MD5366487e943477f12b53cfe3c40ec6f50
SHA1c6d8e6ebaa32b4a2a3b59764750b7eb23519f79c
SHA256ddc406eb47f7e1c4bea965fe624efefcd792b984540f2a1d1b8e0497eb976bfa
SHA5128b3a3f11fe7b68c5e64f5590ed28a7398b2d4279f1f196a8c05cf159448f48da984fc665021bd49ecf8e8d0cf54eeb3074744b71e3426bb693c2f2bc8363c028
-
Filesize
90KB
MD553989adf3e77c4866b5ffc4ef8220ac2
SHA1f3652fefb1494c91342aaf02742ed4f500a7e56f
SHA256c553fb853e0b6bde8ed6e978314b465e9b17ca660ce1ca3b79a1d1055b9564fc
SHA51227c081f05a8a88d309301d5d9aa7d2017742062d551773622bbc24196aa02d0047573bc7d6d4ccf2a14e9f3c5b6516423b42d96dff1f6fce120dbe708b023041