Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/01/2025, 23:34
Behavioral task
behavioral1
Sample
909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe
Resource
win7-20240903-en
General
-
Target
909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe
-
Size
71KB
-
MD5
2cfe0f618024241fd92a21de19831700
-
SHA1
ae2f30105ae1b9c7751f283606fcace01f42cef5
-
SHA256
909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252
-
SHA512
d35ceadd67660fcf9d17b4a4442eac677f8a02dad6d12b494c39536e88ac936fd6e4cc5abb95068faae9251e4fa0b70e315126409047cb655db0a3c02ed82d02
-
SSDEEP
1536:4d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHV:IdseIOMEZEyFjEOFqTiQmQDHIbHV
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 3060 omsecor.exe 2156 omsecor.exe 2896 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1720 909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe 1720 909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe 3060 omsecor.exe 3060 omsecor.exe 2156 omsecor.exe 2156 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1720 wrote to memory of 3060 1720 909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe 30 PID 1720 wrote to memory of 3060 1720 909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe 30 PID 1720 wrote to memory of 3060 1720 909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe 30 PID 1720 wrote to memory of 3060 1720 909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe 30 PID 3060 wrote to memory of 2156 3060 omsecor.exe 33 PID 3060 wrote to memory of 2156 3060 omsecor.exe 33 PID 3060 wrote to memory of 2156 3060 omsecor.exe 33 PID 3060 wrote to memory of 2156 3060 omsecor.exe 33 PID 2156 wrote to memory of 2896 2156 omsecor.exe 34 PID 2156 wrote to memory of 2896 2156 omsecor.exe 34 PID 2156 wrote to memory of 2896 2156 omsecor.exe 34 PID 2156 wrote to memory of 2896 2156 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe"C:\Users\Admin\AppData\Local\Temp\909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD51a920717444a48152301011218da690b
SHA1881ed6183cf768ef3e5d251518d22cd709e64279
SHA2562af946ab4b09d4683a6b6324e5c59c15d16a4915ae9ebf48f6e90e4b3bd7d549
SHA512dfa8818dcf05e5d6b341c3e6858a326e2e11a4ee6d93388c1f054315b77721fc37fc8a20046e930d4b956822816de2038e7f995ee0c5706c6ea5bc27544fd2d0
-
Filesize
71KB
MD53d4c1b4a80079f92081d7b717b5dec14
SHA1e38c94a105fe22170867265fda6b21cb488ef593
SHA2566154f5564da21adb6a7ae377a242ec97f0d7600f11e0843048c3eb10fe7db145
SHA51289527adaef13f6b10c615878242ea1ad73835d2156613c068a6c1c2e2bf4972d0916b1a83e3cfe5ee5fd3a6aec51b0931985d1b18b056ebaf7b3b77ade97e9d0
-
Filesize
71KB
MD57317e23ec6aac0cc6141cee6d48d3d25
SHA1f97405770b56c782d25a035f0b242d3fb9542143
SHA256c69348ba02dbaa7a1cfa3132eed03e71bdb05502495b55e433fbef6f6f0c20f2
SHA512e19193e9117f65bc29bc7ea3f073090f42cf1ef42d868ee372daa2196ccd13cf7087c482dda26258bd40e4362720be1828476ba87e32191ded3e4246e26637aa