Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 20:10
Behavioral task
behavioral1
Sample
15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
Resource
win7-20240903-en
General
-
Target
15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
-
Size
61KB
-
MD5
b43ae4bd2587aae0bb7cda53225bfb7e
-
SHA1
a7915c8f95202c58172bc6ffa283505e7874fb3a
-
SHA256
15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344
-
SHA512
21c0cb46e37862689cf1fb6f75692e3ff094298c5e263db46b2f0df6cca1e943ef1e170dfd2f330080db80aa40ce6b64d80b36073557538274fbba116e743b84
-
SSDEEP
1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZll/5:7dseIOMEZEyFjEOFqTiQmPl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2696 omsecor.exe 676 omsecor.exe 2920 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1640 15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe 1640 15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe 2696 omsecor.exe 2696 omsecor.exe 676 omsecor.exe 676 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2696 1640 15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe 30 PID 1640 wrote to memory of 2696 1640 15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe 30 PID 1640 wrote to memory of 2696 1640 15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe 30 PID 1640 wrote to memory of 2696 1640 15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe 30 PID 2696 wrote to memory of 676 2696 omsecor.exe 33 PID 2696 wrote to memory of 676 2696 omsecor.exe 33 PID 2696 wrote to memory of 676 2696 omsecor.exe 33 PID 2696 wrote to memory of 676 2696 omsecor.exe 33 PID 676 wrote to memory of 2920 676 omsecor.exe 34 PID 676 wrote to memory of 2920 676 omsecor.exe 34 PID 676 wrote to memory of 2920 676 omsecor.exe 34 PID 676 wrote to memory of 2920 676 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe"C:\Users\Admin\AppData\Local\Temp\15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e75c970bba40534408665e9780da0b9e
SHA114dfe6fee89cb45fe582844aeb9732941f34d86b
SHA256fbe87e65078d3ea5eee27a339e541a95b3dffba4c91b3bc7a4d0ad50016d10c2
SHA512ea214804fccaed5947da5e24641a712842cfad507e55029d21f201117d0a851ca7aaf515cdb62d44e8e342ac0719fa652e49a81c2a189e4b669359bfd558fca1
-
Filesize
61KB
MD5d01b660d2283f068c79724968338645f
SHA1589b80e4e8784bf8f21aa5a753989e9ca8e97b71
SHA2565154ae8b1dc240e4cf938c58ee33f0d521b801174527da0bf1841e7de9c33200
SHA5123ec94a45a076a901369d618f680f5c61d70952daf92a8c4757b6b290623b731b3502017f627f79a05b83fb28575302d1e790200b7518a87ebdec79e15dfc8cfb
-
Filesize
61KB
MD56f19c18e4012785b7040a08e25ad7c59
SHA142d8ff55126c72c645249dfde86c08b283cd7de7
SHA25641eb26dab28d5e3d65df53b12f2c3073a1b2c3a3f6101eb2a2e593e4e77009ad
SHA512274d2d86ab9c1f6913e20c6678ec0a766b843ece175cf902a8626bec21a68094b18b895d94ffb55b2dd96168f0b7cb99bc5307fc2a9274ad20b122cd6292aa44