Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 14:38
Behavioral task
behavioral1
Sample
52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe
Resource
win7-20240903-en
General
-
Target
52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe
-
Size
80KB
-
MD5
ffb185e8f37f93d3c1711dc2b5c70d20
-
SHA1
7e611d60e24f26db99a43bbe1d7be6905bb0c243
-
SHA256
52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42a
-
SHA512
b865b5d05fd2bea01ea47dd750aecc2dc7e1167ae3cac241efbe59d3cdf9fd96ae4ba3ae238903bb612bacf69b0c2b52bc9daaccf33f67de2ce64e958b18b4b3
-
SSDEEP
1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzJ:LdseIOMEZEyFjEOFqTiQmOl/5xPvwV
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2996 omsecor.exe 2032 omsecor.exe 844 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2104 52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe 2104 52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe 2996 omsecor.exe 2996 omsecor.exe 2032 omsecor.exe 2032 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2996 2104 52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe 31 PID 2104 wrote to memory of 2996 2104 52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe 31 PID 2104 wrote to memory of 2996 2104 52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe 31 PID 2104 wrote to memory of 2996 2104 52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe 31 PID 2996 wrote to memory of 2032 2996 omsecor.exe 34 PID 2996 wrote to memory of 2032 2996 omsecor.exe 34 PID 2996 wrote to memory of 2032 2996 omsecor.exe 34 PID 2996 wrote to memory of 2032 2996 omsecor.exe 34 PID 2032 wrote to memory of 844 2032 omsecor.exe 35 PID 2032 wrote to memory of 844 2032 omsecor.exe 35 PID 2032 wrote to memory of 844 2032 omsecor.exe 35 PID 2032 wrote to memory of 844 2032 omsecor.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe"C:\Users\Admin\AppData\Local\Temp\52194a535bb7866c71aa16a7f392eecc41a29907859acaeb58cc11136f3bc42aN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD567236ae4fe8bd0ebdfd1429323afedbb
SHA1275ca5278a2ee28ce8dc8f54638af18b86043578
SHA256f2aced4bcae7228c34ddfce3b615d6c4ae9b9dfb5191fed46e67a8bb3e5378d7
SHA512cdd3490763cb3357ecc4f951d2d86f6777613f4cbb7a017642156a571c6ef91b6def3fdc04a4c52ee78e2c893d4611abfc57d3236b6984fde274314805d4c908
-
Filesize
80KB
MD513e8d6039248e84e1b5058d92d549142
SHA19092618db72f51198b2648ec9ec43143cdfcc4b6
SHA256f55cb6200bf4dedb2a26cc8572c4b646229b100017a4f8b4a04970b82ed47e60
SHA5127f07c6cc09b2f06331dcb83b6ad292988133469a8431279335c650cc0b6fd5e3f33fbc02fe8dfa2795e16ff22ca6fef4c00c5fceadeb67d1cc79140df23debc7
-
Filesize
80KB
MD55ef2e95b568cc6ad8df63569b1483b2b
SHA15996127caf6aa4a7139a76169bb34f3c4bd8606c
SHA256b694925979004d046f557f9174894911d57ed57cfe8ccb1b39c6c63f1f59e82c
SHA512cd8919b1d64e7d38b90f6eb88b41bc2576eb99dc2ad1015626bd95e838782cea6bd387dccc30d5428ebbadd4601fd0842ca5aba69ba8a54f0b88d520e05c5016