Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 23:56
Behavioral task
behavioral1
Sample
665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
Resource
win7-20240903-en
General
-
Target
665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
-
Size
89KB
-
MD5
8f079325c4c70893a16e983d451acb70
-
SHA1
3c4b83e47fa93b02f0bf42c04a0251a4da6c23b1
-
SHA256
665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6d
-
SHA512
4f7a00d16710af3216e7a9e953e33b8ce280cf0d09a8769d9f78801d36c46bfd488e348e67c9bee4217a43d87e5c62dcdf859706356a3043bc0e84a12a7a5a22
-
SSDEEP
768:JMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA/:JbIvYvZEyFKF6N4yS+AQmZTl/53
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2120 omsecor.exe 2772 omsecor.exe 2312 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2232 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe 2232 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe 2120 omsecor.exe 2120 omsecor.exe 2772 omsecor.exe 2772 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2120 2232 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe 30 PID 2232 wrote to memory of 2120 2232 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe 30 PID 2232 wrote to memory of 2120 2232 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe 30 PID 2232 wrote to memory of 2120 2232 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe 30 PID 2120 wrote to memory of 2772 2120 omsecor.exe 32 PID 2120 wrote to memory of 2772 2120 omsecor.exe 32 PID 2120 wrote to memory of 2772 2120 omsecor.exe 32 PID 2120 wrote to memory of 2772 2120 omsecor.exe 32 PID 2772 wrote to memory of 2312 2772 omsecor.exe 33 PID 2772 wrote to memory of 2312 2772 omsecor.exe 33 PID 2772 wrote to memory of 2312 2772 omsecor.exe 33 PID 2772 wrote to memory of 2312 2772 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe"C:\Users\Admin\AppData\Local\Temp\665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD536335d6d208518e28f1af8e4a063ff57
SHA1957f080cd7cfe3e478b854056546f607b51fab75
SHA25620c85413f71fda26627686a43e67748498ae2d403b8d79efb501af7977d954cc
SHA5121ed06a264140956e3638d75c9a77c32f2d73b3cbde8ec0996102ead4a6adeb0dfda9a095caeacf91c22e17d79d68661106c22e46ac7369572fca7971e0cf5ade
-
Filesize
89KB
MD5b556dc5db3825d2f3bf93e9b6e05b5ba
SHA12167bf56e8852a170e586de2f52e3edd44917b42
SHA2566db27b02817ce695794a95ab83721c7bb017d26493e92a50997650282da91ed4
SHA51207cc198ac996de6bed6b66428e0d7858823ada203fe86cfca460c9cbbafbef0e9e7dbd1d46e4d0fc99dd23516c111f95c10d7ce2ad3c9de54936f7d035fb09b4
-
Filesize
89KB
MD52ecda7fe028b7783b9b4e8ec91be2af0
SHA131f3005ed2251b924af71813ccc3c877a21dfc79
SHA2567a3bfc859e8cd33e75f186ccac69b1192996f51b2628a920af2797991ec05be1
SHA51237eed8456b75572e75c5d410a07dc1b6600dddc76497bca4561af0fd39b094843fb2bf8cf8b107bdc405c5897b37fb5ce3cbb9bf023100c11c9cee1296faf4ea