Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 15:07
Behavioral task
behavioral1
Sample
fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
Resource
win7-20241010-en
General
-
Target
fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
-
Size
80KB
-
MD5
b1f8acd97175c71200908ec76ccf7906
-
SHA1
6c276b3aa94849880068b9f1c25490cc4e9e7152
-
SHA256
fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe
-
SHA512
489d8d4f949677a5784035d297561d883c7260492247504c107918847b49d02fdea5cf1b553dabb7ba163d1108fb4c93e12253d03ca58582268308ada1dc4c9c
-
SSDEEP
768:tfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAO:tfbIvYvZEyFKF6N4yS+AQmZTl/5m
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1128 omsecor.exe 2868 omsecor.exe 668 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2116 fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe 2116 fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe 1128 omsecor.exe 1128 omsecor.exe 2868 omsecor.exe 2868 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2116 wrote to memory of 1128 2116 fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe 30 PID 2116 wrote to memory of 1128 2116 fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe 30 PID 2116 wrote to memory of 1128 2116 fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe 30 PID 2116 wrote to memory of 1128 2116 fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe 30 PID 1128 wrote to memory of 2868 1128 omsecor.exe 33 PID 1128 wrote to memory of 2868 1128 omsecor.exe 33 PID 1128 wrote to memory of 2868 1128 omsecor.exe 33 PID 1128 wrote to memory of 2868 1128 omsecor.exe 33 PID 2868 wrote to memory of 668 2868 omsecor.exe 34 PID 2868 wrote to memory of 668 2868 omsecor.exe 34 PID 2868 wrote to memory of 668 2868 omsecor.exe 34 PID 2868 wrote to memory of 668 2868 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe"C:\Users\Admin\AppData\Local\Temp\fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:668
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5d7e912cd743b0bd5519d91debc0fc60c
SHA13f8d71605c781afd0336e98cb243ff9662ab4b8e
SHA256cd1961b57e562b8b8f5d9cd0d76bb72b3c29879fee45c4fb5b21f1c95aa572d1
SHA512c4af01cfb02b7bc12bede6e2a769c3137351fe3474a8d63c55ff3dde0d2abe5d729bd2c34d1a53a07ca1827a5218b1754a9b899041147e1b7c2930c9127f9da5
-
Filesize
80KB
MD50813eea1a1e36ac4e2a6c9dd5e8835c8
SHA1476739c4340f206b31166f1360e0a1e716cab636
SHA2560daceeed1c912cba9a0cfb4efc7f403a4bb692c57325cb5e59c68bf901d88870
SHA51280df1fe63850c90eb1ed5a765bc9afbd7778a0b9a639fb57b6d922184119e19158d8ec044ea473f78b6221d6e404fb4cf5b2740d311bcea8ed61437e98e3aa8d
-
Filesize
80KB
MD5f44fecf2a2db7f5e73aebbd0aef97ab0
SHA12268cc507f8ce4105ed23b8fb7029e878ed08bac
SHA25643a4fb7ace01316cddd48c8681acd0d71ef7a0cadc62669fe097cdfa9c14628a
SHA512fb1fa1d62667935c7305657f88b6d9627f57fec72c6e9ff8b596d7a027433c892fc031cdad32277c2e1e6afd224024c27342f990b5fa208d2de98147c3744043