Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 14:50
Behavioral task
behavioral1
Sample
662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
Resource
win7-20240903-en
General
-
Target
662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
-
Size
76KB
-
MD5
4da380879d70fbcf230ed358131d352a
-
SHA1
02a0535a9e16715dcb4b7ce607fc1de765e3a7ba
-
SHA256
662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944
-
SHA512
56d9188446c96e1da11bf9aa7252796030c4b03c4be9b163ffda30de25587444f6f77658de7054045f356e56cfa6eb68530321f9d15748893d96d9326309c89c
-
SSDEEP
768:VMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:VbIvYvZEyFKF6N4yS+AQmZTl/5Ob
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2784 omsecor.exe 1148 omsecor.exe 1044 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2716 662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe 2716 662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe 2784 omsecor.exe 2784 omsecor.exe 1148 omsecor.exe 1148 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2784 2716 662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe 30 PID 2716 wrote to memory of 2784 2716 662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe 30 PID 2716 wrote to memory of 2784 2716 662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe 30 PID 2716 wrote to memory of 2784 2716 662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe 30 PID 2784 wrote to memory of 1148 2784 omsecor.exe 33 PID 2784 wrote to memory of 1148 2784 omsecor.exe 33 PID 2784 wrote to memory of 1148 2784 omsecor.exe 33 PID 2784 wrote to memory of 1148 2784 omsecor.exe 33 PID 1148 wrote to memory of 1044 1148 omsecor.exe 34 PID 1148 wrote to memory of 1044 1148 omsecor.exe 34 PID 1148 wrote to memory of 1044 1148 omsecor.exe 34 PID 1148 wrote to memory of 1044 1148 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe"C:\Users\Admin\AppData\Local\Temp\662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5d47b327fea566cbee5e9cc21398a8f1b
SHA16730610cdc25b214f6772b6c5a93848406b19e37
SHA256cc4c5ff639447989c67ed504f40d652712ec290446439404037718dba23ad4f2
SHA5127c48e0511f1ed0f7af9e9fe50ba80e4388eadc4b3e1e50fabd1f2ed2120d4c1514bd7fa32c1dd4e646828696dcd2eba239d122697786cee82c96ceafe4dfa359
-
Filesize
76KB
MD51399e86def1b539655f8c31bf1bfe893
SHA10351d57d9c754154a295095932e35909817eb26e
SHA25689117b1691c4dfb96c338293f0c18eb5e4b830ff7c73e2297416e1d27dd8cca9
SHA51285c1b9fe5206435b94042963d35312e5ebfc7cf01ba6b0bea5e3c88fc4d74038805f84848abf806c2595d0d0e0e262c690dde0077d0c957d2e8b16f78c517b69
-
Filesize
76KB
MD5b604db7ec1a0f6aa1e4cbbddc9f626d7
SHA1f80ea3ba1ddd1d985f99eba7e0d8ae46af60ea58
SHA2565c94471e8954a435a68131e1f39911523f8cad87e65c00395d44e935bdead0d6
SHA512a42a9d495eee7fdc40d594178cbc85cb6b368999fa1f55048ffe6d3274485aabf4587d8be7f121a676011a3004b07d4ee7c5c5f753f9269be309927e38af41b6