Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 13:38
Behavioral task
behavioral1
Sample
e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe
Resource
win7-20240903-en
General
-
Target
e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe
-
Size
80KB
-
MD5
6ed735df8a85a7804ab3b68feb080ea0
-
SHA1
554b7583869485fb2194f1cb465bb9421906455b
-
SHA256
e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644
-
SHA512
47ae9f7057b41dcc8fd51ada7fa71ee381a76f57ec02cc1bc039de3529a670b63d6c47df8d4d86a22c1bcb5af70874a02fdd8f4b27930ef5f875e7d3e183e673
-
SSDEEP
1536:Ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:gdseIOMEZEyFjEOFqTiQmOl/5xPvwN
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 3060 omsecor.exe 2056 omsecor.exe 1988 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2312 e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe 2312 e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe 3060 omsecor.exe 3060 omsecor.exe 2056 omsecor.exe 2056 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2312 wrote to memory of 3060 2312 e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe 31 PID 2312 wrote to memory of 3060 2312 e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe 31 PID 2312 wrote to memory of 3060 2312 e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe 31 PID 2312 wrote to memory of 3060 2312 e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe 31 PID 3060 wrote to memory of 2056 3060 omsecor.exe 33 PID 3060 wrote to memory of 2056 3060 omsecor.exe 33 PID 3060 wrote to memory of 2056 3060 omsecor.exe 33 PID 3060 wrote to memory of 2056 3060 omsecor.exe 33 PID 2056 wrote to memory of 1988 2056 omsecor.exe 34 PID 2056 wrote to memory of 1988 2056 omsecor.exe 34 PID 2056 wrote to memory of 1988 2056 omsecor.exe 34 PID 2056 wrote to memory of 1988 2056 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe"C:\Users\Admin\AppData\Local\Temp\e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD59cf1fe789a63984248ecda8302d6fedc
SHA177fd36a0f93197ba5fb7d0b50d273f35489fc556
SHA2568e4314f4e5d6839ee6985a1e54cfd250afbb784551d9bb00a01795260c2d2b72
SHA512e51ccdc84853d207ea4fe15ce914b5c45a1a1c3ba23774f41a65180410becd02722ebe9454735aaa62b9166b7aa573b9e776651f71daa13456d14b2909244bc4
-
Filesize
80KB
MD5a01a14e859666334f77b2c9f5c3026d3
SHA17cca57f67cf3e56529836da2e590122b6489784c
SHA2561dbebb167fa3c1e7e8dbfc8ac2f0f86d4db1722c990567fa014a3edd2fdf4f0a
SHA512f7c9b78a23d2f43ad39251c0fe3a635c9f644894ca54e2bd6b8c85f19ce3d88ab31d692b3475af296f3728365ca74fbb0b1361410cc655b8ca79709504ce0fce
-
Filesize
80KB
MD584996626a68638f3bffbe68af76705b5
SHA141f60168ed8403f49ff10618788999e5bdad27c2
SHA256d681341901f73bb308b9ac8dc8e36a2cf4fbb7a6c2a0170b8ad8b01d68fd51c3
SHA512e4c26f36e1f97438eedf1031946cab4fcdddf71e34e54ec0e651fcb0d2395048136c398edd8da729c59b57023a334e428bb79777cf325f6ee8a980f541449326