Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 20:14
Behavioral task
behavioral1
Sample
ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe
Resource
win7-20241010-en
General
-
Target
ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe
-
Size
80KB
-
MD5
2280a07398f9229442d8919d4c3322d2
-
SHA1
6b2168f604b5536f8a8b79c93edacf5fa5614d8d
-
SHA256
ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8
-
SHA512
f783a9234a6b9d461192e3843c1a803ecb68eb667ddf5b273d9bfc484290d895b828b228d39b59b07f92a4efac627fcc560183b2cbb3917ec37b193b64227c56
-
SSDEEP
1536:0d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwz5:MdseIOMEZEyFjEOFqTiQmOl/5xPvwl
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 2868 omsecor.exe 2152 omsecor.exe -
Loads dropped DLL 4 IoCs
pid Process 2824 ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe 2824 ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe 2868 omsecor.exe 2868 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2868 2824 ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe 30 PID 2824 wrote to memory of 2868 2824 ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe 30 PID 2824 wrote to memory of 2868 2824 ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe 30 PID 2824 wrote to memory of 2868 2824 ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe 30 PID 2868 wrote to memory of 2152 2868 omsecor.exe 33 PID 2868 wrote to memory of 2152 2868 omsecor.exe 33 PID 2868 wrote to memory of 2152 2868 omsecor.exe 33 PID 2868 wrote to memory of 2152 2868 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe"C:\Users\Admin\AppData\Local\Temp\ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2152
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD564efa7b9e6ff61e955ebd00c872a3584
SHA14735f167299693ba8e9f9d8bee780f69acbdeb8b
SHA2567b5dc447e1273b6754678ed977fa3b5e5b96b5207da7df83ca2847bce9502ba8
SHA512905dcfb5792212c1e6763cc43253cde8a2c9ac0e8ba733e8079663521d48fee3b4907812a6cf3596de36ae39c0edecfb2cefaa1af35ee6c222bb594e9cba360c
-
Filesize
80KB
MD5287dd26dbb1206a8272e5eba61261c4c
SHA14576104597ac28cd936b41891fcb4f6b2fe30b1c
SHA256244190f20968145ca545830b90d270c03ab7ec3f6f6a9bc63abad13c9789a991
SHA5121071e4a70113abde3c6c70d4d14c82fe7c1728c55f8ac60649aa0be22fe8f6ad5dc46e01092bf022f650c1cc3b1a631b1abcb5effbfd6d31317e117505490499