Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 20:49
Behavioral task
behavioral1
Sample
24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe
Resource
win7-20240903-en
General
-
Target
24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe
-
Size
71KB
-
MD5
fbfd6ceec92235dbd62511953284ff0c
-
SHA1
2d823371212511f61382601ac233ed60e624896d
-
SHA256
24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71
-
SHA512
e0ab32877220df84be9cb1540762bd7da831b425e176152ef884b2d8895b5246c67d06e4ccfe29f1f199fb492dfeba13cced8ee8b4b5f0fe33c877ef8611a13c
-
SSDEEP
1536:dd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHP:VdseIOMEZEyFjEOFqTiQmQDHIbHP
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1728 omsecor.exe 1140 omsecor.exe 704 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 3016 24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe 3016 24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe 1728 omsecor.exe 1728 omsecor.exe 1140 omsecor.exe 1140 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3016 wrote to memory of 1728 3016 24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe 30 PID 3016 wrote to memory of 1728 3016 24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe 30 PID 3016 wrote to memory of 1728 3016 24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe 30 PID 3016 wrote to memory of 1728 3016 24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe 30 PID 1728 wrote to memory of 1140 1728 omsecor.exe 33 PID 1728 wrote to memory of 1140 1728 omsecor.exe 33 PID 1728 wrote to memory of 1140 1728 omsecor.exe 33 PID 1728 wrote to memory of 1140 1728 omsecor.exe 33 PID 1140 wrote to memory of 704 1140 omsecor.exe 34 PID 1140 wrote to memory of 704 1140 omsecor.exe 34 PID 1140 wrote to memory of 704 1140 omsecor.exe 34 PID 1140 wrote to memory of 704 1140 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe"C:\Users\Admin\AppData\Local\Temp\24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:704
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5d3cc034cbb39415bbe4de7d92d9bb0bc
SHA15e6280f787b2c3ed171b866f9c1caae14956598c
SHA2560c872d84f8a63762cf84ddfbf8a6b888b2bb157fa1f858b30c25079becd1fd72
SHA51211cf225a4101c19bd0f45921408218027711fc43d50857d94f69cf0bcde56ee5641275214cbdb45f47ffa50f9fac8997129c07cde8bdced3d36868c287f69988
-
Filesize
71KB
MD5d2e8efb4bff74b7b79c9e72b5ed4c6b8
SHA1d0f09c4adfbbc84caf4defc82b2dc22be615860d
SHA256e2ae741c3db6444e9dd52e7ba156d0f364b8a607d5a6d949473409ae31709bb4
SHA512e628ab2c477b6f3d4d58a93ea49f40ca6b68ca3eeef02519613d89f7b7255311f4cd59a7b142d2cc9f25e93af471a6c47129c9aebcbb7e384d6eb7d67302d6d4
-
Filesize
71KB
MD58f88f36612872ec0b0cbcdcacacebb2e
SHA1cfd828a9ed2b29c47667083dd1fc85983005f5ac
SHA25679940a5f1b4c78f965d5583a4fbab90fe834e1ae3c8f5ca83eceb0adb315bd0c
SHA5127441a3f2910f34f424414fa78194c7f530d8ab8333a6ce78169c7b0c060b2bc8b0de0a9acf3b49e342a2370e7ceea90246836ce871beec3665f332f2fe6dd0d0