Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 21:03
Static task
static1
Behavioral task
behavioral1
Sample
339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe
Resource
win7-20240903-en
General
-
Target
339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe
-
Size
33KB
-
MD5
cc78612706f777dd9cbe41e98b11f15b
-
SHA1
784736d5e0f78f8de86e718d684dd9ff5e64e0cb
-
SHA256
339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247
-
SHA512
4ab445cacfa69b92b2a7ecf9ff3007f934aa40649113cdc3dbcc435ac39ebc384c98cbf4c5bdf895e44a12a921e30973dd55d7f35ffda5bb12eb53c24ccbc150
-
SSDEEP
768:UfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:UfVRztyHo8QNHTk0qE5fslvN/956q
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2612 omsecor.exe 1752 omsecor.exe 2432 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 548 339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe 548 339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe 2612 omsecor.exe 2612 omsecor.exe 1752 omsecor.exe 1752 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 548 wrote to memory of 2612 548 339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe 31 PID 548 wrote to memory of 2612 548 339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe 31 PID 548 wrote to memory of 2612 548 339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe 31 PID 548 wrote to memory of 2612 548 339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe 31 PID 2612 wrote to memory of 1752 2612 omsecor.exe 33 PID 2612 wrote to memory of 1752 2612 omsecor.exe 33 PID 2612 wrote to memory of 1752 2612 omsecor.exe 33 PID 2612 wrote to memory of 1752 2612 omsecor.exe 33 PID 1752 wrote to memory of 2432 1752 omsecor.exe 34 PID 1752 wrote to memory of 2432 1752 omsecor.exe 34 PID 1752 wrote to memory of 2432 1752 omsecor.exe 34 PID 1752 wrote to memory of 2432 1752 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe"C:\Users\Admin\AppData\Local\Temp\339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5ebbf5c33067cb11bf3aa3c339191e626
SHA14955facaf7a98cfdb909d553644f16b820414691
SHA256a7b2ce28b3d47705c29d9bc00e154bd7243935e95d45834b2116082bfca56171
SHA5120e9663956f6a9b9b85880bbe31413fab8c7aa6647a1f70e2f92745822b52feb1e9bf9234956b64e38ecd78dbca526c3b9fbc0ab68726faf61db71b10033896fa
-
Filesize
33KB
MD53fd6893b053841e6747cf998154369c5
SHA1604922f2f469eb40d1ff7a9fdf9fbe63c3d183cf
SHA256ddea204a98d44ce6cf484e3d07fbb19cca05fb61ab6c0c8cbdf0b7425353753e
SHA512ad800d8fb28900b8f0a714ebb65716429ba20f983b2677a03e8039e4dae845e2b9656851f3dc81ce7d8fbcc172230d3c86b6b1e6d51d2a2cb1eaa1c89a582727
-
Filesize
33KB
MD572360a6fad605408c96c80ae0ea82f1c
SHA1cdc8f8138e7867f516739f2b141ed6acbea34cbf
SHA2564adbcc564dbed7964a2a2999b4916016098013fc59dcad2b4b4eda370b62fc90
SHA512ae5f96be33e657cc63325e9b3071d6a3507574346f5379444925913099dc55aa8435e612e275f3cc729c8a4a70bc4348f72834c3b699953c6c22f6285fd4fbea