Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 22:06
Behavioral task
behavioral1
Sample
269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe
Resource
win7-20241010-en
General
-
Target
269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe
-
Size
65KB
-
MD5
12837701a685d2ba352082487de57f85
-
SHA1
0d292469a0d5ee7cddb0ab8fe184bc22b9cab876
-
SHA256
269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422
-
SHA512
ed2347e9ee9115a39bfff507ca665b655fc2e41dc2b9c6ef703afe13108964cd9da76d79cc71fbf4fa1ad0a522bba81f0a402fe315f76be6bce003ebf48c0356
-
SSDEEP
1536:Ud9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:sdseIO+EZEyFjEOFqTiQmRHzl
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2916 omsecor.exe 1332 omsecor.exe 3068 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1820 269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe 1820 269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe 2916 omsecor.exe 2916 omsecor.exe 1332 omsecor.exe 1332 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2916 1820 269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe 29 PID 1820 wrote to memory of 2916 1820 269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe 29 PID 1820 wrote to memory of 2916 1820 269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe 29 PID 1820 wrote to memory of 2916 1820 269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe 29 PID 2916 wrote to memory of 1332 2916 omsecor.exe 31 PID 2916 wrote to memory of 1332 2916 omsecor.exe 31 PID 2916 wrote to memory of 1332 2916 omsecor.exe 31 PID 2916 wrote to memory of 1332 2916 omsecor.exe 31 PID 1332 wrote to memory of 3068 1332 omsecor.exe 32 PID 1332 wrote to memory of 3068 1332 omsecor.exe 32 PID 1332 wrote to memory of 3068 1332 omsecor.exe 32 PID 1332 wrote to memory of 3068 1332 omsecor.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe"C:\Users\Admin\AppData\Local\Temp\269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5e0ba6b89326454c613cdd789ba521c55
SHA14ff47d99ae6a85c378aea320b5603766a6d40078
SHA256651ff0bcf533a0b074e90290e36fdeac5c5b41366256cf4dd67d645476538093
SHA5120ec95d92446e50130981a8237e6e70bafc8aea6a33e4a5c40e0d0dc45feba24d0d82e1b1ffb5fd982ff69b0a3ea47c9660deda163f66849ab13edb6be1b5fb86
-
Filesize
65KB
MD5c8b7ec2ac51daec071c8d144d7f6f028
SHA1dafe9c2b4279bcf3870c4ebeceefc6b6db032364
SHA2562e6c841ed98cd996a62ec4c620d412020eefe36dfb72a77539688b0f2d20baf8
SHA5126070f0cf09ddd4a1acc8b89a2f7b9eab98eb3e411b78e229d6c63b15c1a284a7af6dcc5c6e3c4d7253fbc67dd9cacb5871e7870e0f6d140f4a90889b4bb096c2
-
Filesize
65KB
MD5399e74807d7497a0bad82e34e2321e8f
SHA1db43df40e2de5864ac2e51c6f382954b5f6dd8f9
SHA25672a644f892f190129dfcfdd63230bce080ec66b545f5117bda9c15ea8826427f
SHA512237b8599c69cb14106d4d71c5177e8a48344155d2bda8f8733fd4a0b2d6e8c331f60693391191ca55cae95d89c91dfbfe3f8cf86bc829f89c6c33ef7a803dcfa