Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 18:17
Behavioral task
behavioral1
Sample
9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe
Resource
win7-20240729-en
General
-
Target
9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe
-
Size
61KB
-
MD5
0ae69dcd82d19b6198b367d47664d750
-
SHA1
2fdcf486e68cfe5f84bcc8ef8f1fc465606b59ec
-
SHA256
9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903
-
SHA512
21a751134ba8eaad85cb87800100a4ba0cc92b89a060efbd276f29d005c9d1ed229389b73cbb18970bb902f47d638fd7d58b5c77de4fe4a31197166a2dd82044
-
SSDEEP
1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZjl/5:kdseIOMEZEyFjEOFqTiQmxl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2096 omsecor.exe 1592 omsecor.exe 2044 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2172 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe 2172 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe 2096 omsecor.exe 2096 omsecor.exe 1592 omsecor.exe 1592 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2096 2172 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe 30 PID 2172 wrote to memory of 2096 2172 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe 30 PID 2172 wrote to memory of 2096 2172 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe 30 PID 2172 wrote to memory of 2096 2172 9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe 30 PID 2096 wrote to memory of 1592 2096 omsecor.exe 33 PID 2096 wrote to memory of 1592 2096 omsecor.exe 33 PID 2096 wrote to memory of 1592 2096 omsecor.exe 33 PID 2096 wrote to memory of 1592 2096 omsecor.exe 33 PID 1592 wrote to memory of 2044 1592 omsecor.exe 34 PID 1592 wrote to memory of 2044 1592 omsecor.exe 34 PID 1592 wrote to memory of 2044 1592 omsecor.exe 34 PID 1592 wrote to memory of 2044 1592 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe"C:\Users\Admin\AppData\Local\Temp\9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e79d88550735b96a1e0d4491ab9c9715
SHA1088cead7714ed496d754b592d80ebc46812ef038
SHA256ab1ce3ce1fb24f8ecf9e3b3709f749c0113c912e7f6950829ba955e14de27a04
SHA512fb660c37cbf061554075bc5d5ab25d0387bc8f49d5b7b796a8e8a3378087e6bb06eb12d98b2e1e0a4cc6e3d2c6dd437c117dff7d81f33e018751ad8c1c784820
-
Filesize
61KB
MD5cd48fe3ad3a85f7c74f04d8d2fa05fa8
SHA19b696c4f5e288eec9ab978a6759b7c71a75ffed2
SHA256c9492cf7d9128c374d9946a113951a7c77b2e1c4a8dcca47f5540d184acda7a5
SHA51201f01cb6ccadbaaf583fd0eb573fdbc4f0b7ad4ecc8ec195201dbb9697eee4cc24eb6fc4aa7043b5a0f64803eeee2238c2b3cf59d7610bd1dd740c249d40655a
-
Filesize
61KB
MD51e38e96393fb7eaa5bea6c3581fef21c
SHA1a4e910e676a0c6f91f4ce3f783a246ffa846b5d6
SHA256f4744d0cacd11dc66dc970f9d0a12f04f5f758c6202ea9f1102a6d26361e1f40
SHA5126c62896b2f54440075bc969c65db83f48c7c6e2564b76a1cd038820cc954b3e3a6b3916401c052e26b10e55307f5493fbf4dadeb1b3ac0baaaf7d51ee6479458