Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 22:02
Behavioral task
behavioral1
Sample
2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe
Resource
win7-20240903-en
General
-
Target
2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe
-
Size
76KB
-
MD5
6351bf0b2c857a252d51c3442c498476
-
SHA1
684e30fb9169d36080114ae44ece8e9d206675a1
-
SHA256
2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea
-
SHA512
9ceea7634d447cfa772d744cee31d38b74697d12e44308027bd4eda508887e7c73807e112c90caaae31a9b21a2c7bae7935d203ed12b0b66e012d357b7ded083
-
SSDEEP
1536:5d9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11J:ZdseIOMEZEyFjEOFqaiQm5l/5w11J
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2904 omsecor.exe 1868 omsecor.exe 1668 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2280 2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe 2280 2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe 2904 omsecor.exe 2904 omsecor.exe 1868 omsecor.exe 1868 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2904 2280 2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe 30 PID 2280 wrote to memory of 2904 2280 2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe 30 PID 2280 wrote to memory of 2904 2280 2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe 30 PID 2280 wrote to memory of 2904 2280 2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe 30 PID 2904 wrote to memory of 1868 2904 omsecor.exe 33 PID 2904 wrote to memory of 1868 2904 omsecor.exe 33 PID 2904 wrote to memory of 1868 2904 omsecor.exe 33 PID 2904 wrote to memory of 1868 2904 omsecor.exe 33 PID 1868 wrote to memory of 1668 1868 omsecor.exe 34 PID 1868 wrote to memory of 1668 1868 omsecor.exe 34 PID 1868 wrote to memory of 1668 1868 omsecor.exe 34 PID 1868 wrote to memory of 1668 1868 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe"C:\Users\Admin\AppData\Local\Temp\2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5ec8fa177728ecbde3bbcc7e74e91ca62
SHA16f90c073c883095b2a88c09910bca8515d7ccf2c
SHA2561c7c0c18f3d7f4e2957298dceb63afd7001c36db9079b44b3ac0fe8087db5c47
SHA512ee2849ef0471d748f32694e9b13309bd167aae8f6205dcb914db309e064ef92c33995bf40fd043cd788fef9f54b93ac36cbb6f8430e8b31e0bd9187f92b81ff7
-
Filesize
76KB
MD5e82fb72d9232e45518e88ef92a09affb
SHA14d4c1557630d60f88aa6f25ceb8574f2e01e0cac
SHA256f871547f02043169fc839f6029371fa029826b901971db6210441a922a5ab628
SHA5125216404853fa7609dcabe7d23cbbbc5b2d5968b168d453ded8883e034d0e6ca5af13cff4a8c3c1170eb1384e470fb1179bc850be6a173d9579549b5b3576db34
-
Filesize
76KB
MD5ad04f90e49db2b3746e3e8b691e4793a
SHA19b5facac25f6ef6201a94b23bc1201fee67acc47
SHA256f5cfae2809bea7a35f59bb8d77886de09dc92d0dde82c89157cae2879760bad2
SHA512c587239867cf1ac01e9ddc8bbbd66e5d6f00ad729972a49c0e14c0837bda8cc0faa724c002030155a922ac91f4b6cff0ab621e99dfb809e9115cfa0278589ed3