Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 14:34
Behavioral task
behavioral1
Sample
5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
Resource
win7-20240903-en
General
-
Target
5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
-
Size
71KB
-
MD5
3958deddaef3fe3737c2a7566c3f3800
-
SHA1
051a7a844e9bf717ee161af71333a78115aac3b8
-
SHA256
5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5c
-
SHA512
29c580730edeebabf5b0c49abc058c64b1d2d1fe21f285d0cff4f07c49a43e2efbd0629c89a9a2742f3a16fa1a69cb882605e6e25fbe0f93e6352918d087657f
-
SSDEEP
1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:4dseIOMEZEyFjEOFqTiQmQDHIbH
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2768 omsecor.exe 2908 omsecor.exe 848 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2692 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe 2692 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe 2768 omsecor.exe 2768 omsecor.exe 2908 omsecor.exe 2908 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2768 2692 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe 31 PID 2692 wrote to memory of 2768 2692 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe 31 PID 2692 wrote to memory of 2768 2692 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe 31 PID 2692 wrote to memory of 2768 2692 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe 31 PID 2768 wrote to memory of 2908 2768 omsecor.exe 33 PID 2768 wrote to memory of 2908 2768 omsecor.exe 33 PID 2768 wrote to memory of 2908 2768 omsecor.exe 33 PID 2768 wrote to memory of 2908 2768 omsecor.exe 33 PID 2908 wrote to memory of 848 2908 omsecor.exe 34 PID 2908 wrote to memory of 848 2908 omsecor.exe 34 PID 2908 wrote to memory of 848 2908 omsecor.exe 34 PID 2908 wrote to memory of 848 2908 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe"C:\Users\Admin\AppData\Local\Temp\5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD514609222ad04fd8fcf5d5c9107ee25e0
SHA115f317f2e29c854d53b281f4aa6b2af3e0627352
SHA2560032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3
SHA51276f754cf0d2ed9f3013a81c8ad8189dca0f13955310c0f9cb1a68c656ddb7fb247914a9d2aa10e989c503c2ae658759830ff28bc8765d15a3853cfd5f1138aae
-
Filesize
71KB
MD5939ac864579eefc7a2cd3e91d48f73d9
SHA13f914a01faf6328cf8db0e8d4877c3a86761f8c0
SHA256ba9cd28996246bd4f8e70f1562cd554170e25552028d13d24ba3e1b0c11ea460
SHA512d76cbd5245bb1347ccf7302a54563f936558cc92c14bbbbf750a5f2648f5922e76e1af06892f98a5217718fbe4a8d44832b49c4beebccd30debfdf81f73e9a74
-
Filesize
71KB
MD52afbd95c98ad53d0ac5ceda9e71d06e0
SHA1d741e24b7275fac5cf6e37327a50b21276b399ac
SHA256cc0454293564869a29d6a514ece5e76e78485278bc70b1bda303d37637d498c3
SHA512534dfb10e4c5a2586ab85121857acec0deb2404070ecc010ed0caf4fde31aa21bea324ca58208cb1a4fed08a3ca33c463967cd1f1adeaf5a43d44805b1fe5461