Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 07:41
Behavioral task
behavioral1
Sample
011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe
Resource
win7-20240708-en
General
-
Target
011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe
-
Size
71KB
-
MD5
7ddc1a5c59e68242c7687033f8af05c1
-
SHA1
643c3a979d53d748afcb2631343693a6a3cf210e
-
SHA256
011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681
-
SHA512
ec5a2dbae1a4715b409bfb892c2227ca9c98eba5a54853c5094e485a2fb09b92115c1b8edd7d4571c26ca1470d3251ce837f1c71e68f9a45ed7d815f4b750580
-
SSDEEP
1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHf:TdseIOMEZEyFjEOFqTiQmQDHIbHf
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2156 omsecor.exe 1992 omsecor.exe 1528 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2200 011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe 2200 011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe 2156 omsecor.exe 2156 omsecor.exe 1992 omsecor.exe 1992 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2156 2200 011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe 30 PID 2200 wrote to memory of 2156 2200 011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe 30 PID 2200 wrote to memory of 2156 2200 011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe 30 PID 2200 wrote to memory of 2156 2200 011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe 30 PID 2156 wrote to memory of 1992 2156 omsecor.exe 33 PID 2156 wrote to memory of 1992 2156 omsecor.exe 33 PID 2156 wrote to memory of 1992 2156 omsecor.exe 33 PID 2156 wrote to memory of 1992 2156 omsecor.exe 33 PID 1992 wrote to memory of 1528 1992 omsecor.exe 34 PID 1992 wrote to memory of 1528 1992 omsecor.exe 34 PID 1992 wrote to memory of 1528 1992 omsecor.exe 34 PID 1992 wrote to memory of 1528 1992 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe"C:\Users\Admin\AppData\Local\Temp\011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5e5fa2528e594d55396f1ce884565d3bc
SHA14aec927bec4b5605893d4781dedd7dc017c3e2ca
SHA2561beebee7485d2769b07c25af69a7c79e92da8d08ecc1ac20dbad9faad6f8ec42
SHA512cfdbf0ef184448565fc62f0d153ff0bd959c2d6f9f0fa38a3e4eb2aadcb34a03d0a50a3e6b28af13d96af6ef547448da5ea91545149b337dce23765abaed6520
-
Filesize
71KB
MD570eb4a3c9de9142b93c8f0a2496a634a
SHA1194f0e6ddfc81d5a202c8164edff01cab3517a35
SHA25627b25b39a6abed85cb8d982e6a0bb2da11e561a7125ef6af67984395d997ec5b
SHA51244f809d7480e9bbddbb0867caa687c281337ea81a1db14138e5d6711c4ac5523afbf4a3081cd06b012f62dacda4c5ab194475a0cc7fb6a03b5d160efa869b495
-
Filesize
71KB
MD5c990031a4efe6fd6e33ccfb63984daff
SHA16ef034e3cf9bf100f2c7787fe082574362000e6b
SHA256b065acf63963090d2c21a7698da5376895d5cd85094d8e2f3c5db143cbc07857
SHA512a75d83e3184ba739705a2798d30bb2a733e8c27f4e6ef194842438756a9f8a7806b99592874f6b594ecedc7564326c70dfb887b58ba73e285954dbe0dbf4c9ef