Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 16:46
Behavioral task
behavioral1
Sample
261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe
Resource
win7-20241023-en
General
-
Target
261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe
-
Size
76KB
-
MD5
fa3e88b79d7f31ed90462d41155ccfe0
-
SHA1
4619556e37f8549041b280b1626342c74e3bcb3c
-
SHA256
261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9
-
SHA512
0b90acec18ec4eaf607575bb13ecd581d192f8a6c06e637f3afbbf5970fd98f30fa018f1260cdd7cd2d9379b64363d1cdbe20aaa23d3258f04a8d212c80aa5be
-
SSDEEP
768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:MbIvYvZEyFKF6N4yS+AQmZTl/5Ob
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 472 omsecor.exe 2312 omsecor.exe 1188 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2600 261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe 2600 261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe 472 omsecor.exe 472 omsecor.exe 2312 omsecor.exe 2312 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2600 wrote to memory of 472 2600 261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe 30 PID 2600 wrote to memory of 472 2600 261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe 30 PID 2600 wrote to memory of 472 2600 261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe 30 PID 2600 wrote to memory of 472 2600 261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe 30 PID 472 wrote to memory of 2312 472 omsecor.exe 33 PID 472 wrote to memory of 2312 472 omsecor.exe 33 PID 472 wrote to memory of 2312 472 omsecor.exe 33 PID 472 wrote to memory of 2312 472 omsecor.exe 33 PID 2312 wrote to memory of 1188 2312 omsecor.exe 34 PID 2312 wrote to memory of 1188 2312 omsecor.exe 34 PID 2312 wrote to memory of 1188 2312 omsecor.exe 34 PID 2312 wrote to memory of 1188 2312 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe"C:\Users\Admin\AppData\Local\Temp\261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1188
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5690355737d2f814f310663bba1c6a360
SHA174e33198be7097aecf28ba8cac8504fa705ef8ed
SHA256132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655
SHA5124ba88aac4f4a493f851e8f7bba4c9366b1fae32e8d9badfbe0456d8703b2b41bb58e5222bc23dd6527ab2d84c0bacdebac38007cafa745a3543cb7d5c6429b5f
-
Filesize
76KB
MD579c49cf933cff147828d3005b5385381
SHA1fdbcf213df12fa5f1f6617a3cf2c57456207bcd1
SHA2568ecf47bf70ab5196bd568a609a1daddd51e2b5ed396b116ce27be4351b78f906
SHA512b78064e062f362f2d51005426d71febe4a1278db7a95e9b6cb9c54e7104f1219fabf56f3d4e55975363d48104e501906c5b5e73e733fef9fefee3e9252abbabb
-
Filesize
76KB
MD51a1e26239e17043c6c57cc90b6813914
SHA1b2b0dde9f956782229467d4be70138bdb5642ad2
SHA2561fdca8440ed4059e9187798573c2292fe07295c032c14be81ce446bb4cf6695f
SHA512fa95a0ef0866e2d81f1911c9b4c5d459957d9fbbce736d0be18fc437d4632f1717e88bd29b7338991a1a1072f4ab37f99d1d512128ce15532dca036ae914a4f4