Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 11:04
Behavioral task
behavioral1
Sample
0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
Resource
win7-20241010-en
General
-
Target
0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
-
Size
80KB
-
MD5
b72d6e0501d41a0fcd53784f63d87880
-
SHA1
c371552655ece43bc7037d615057ff2cf57afafc
-
SHA256
0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a
-
SHA512
191374c4e0a25fd8c96919cf495d76d94788b44dbf08fdb6271ff086279c7d5615bcaba1ce02f060c0fe8078593824f5d13749f938b0bad0f1495ab4fb82f9df
-
SSDEEP
1536:+d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzb:mdseIOMEZEyFjEOFqTiQmOl/5xPvw/
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 3032 omsecor.exe 2844 omsecor.exe 1136 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2304 0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe 2304 0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe 3032 omsecor.exe 3032 omsecor.exe 2844 omsecor.exe 2844 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2304 wrote to memory of 3032 2304 0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe 31 PID 2304 wrote to memory of 3032 2304 0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe 31 PID 2304 wrote to memory of 3032 2304 0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe 31 PID 2304 wrote to memory of 3032 2304 0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe 31 PID 3032 wrote to memory of 2844 3032 omsecor.exe 33 PID 3032 wrote to memory of 2844 3032 omsecor.exe 33 PID 3032 wrote to memory of 2844 3032 omsecor.exe 33 PID 3032 wrote to memory of 2844 3032 omsecor.exe 33 PID 2844 wrote to memory of 1136 2844 omsecor.exe 34 PID 2844 wrote to memory of 1136 2844 omsecor.exe 34 PID 2844 wrote to memory of 1136 2844 omsecor.exe 34 PID 2844 wrote to memory of 1136 2844 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe"C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1136
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD51105a5530d3484899bac92604df40e4d
SHA1ef081bef6e013dddd41ecb27ef59d9b41b249360
SHA256fdde056d55fc0b08db4c54aa08224516e7832eb3f0fd16aadcf5b2fc179e3353
SHA512ef86677ce4635679636b325cf37f9765c8ac529071e1eddfc061371be2169245fb6e25d7ccfeab3147f8e50423a4d544553244b71516ddd42dbe892255e4f091
-
Filesize
80KB
MD551a6e01a0b9d19446adedf4b2271f177
SHA1e98ff35fec53e3cd49cba75f05569aa2ccca9734
SHA256a5fe4bd97866ec42790cae321edabb3a28ec1ecf1b342ce5bd80677c5efebf55
SHA512c5f10cb14a4f5e4bdb8f41981a1e121518c5f9ef8c5fad8eeff421b4f7b2bb1f059315458dc4c5d2ef4f9fdc286cb226d3b5a7dcb48b108c18b19d55478c2004
-
Filesize
80KB
MD54c82b8ecf9e0ffeba844bd47e2ebe10b
SHA15a63e02794f6448446fe244d7740f89dd93de349
SHA2562fc8f53d136f3daee6cd7a12700e5bd95615d51c4ca588f4135cf7b9f2671a99
SHA51201df011745aea9d53b5348a7e50b0979b3b1f2f612b9382cdc5698342923e2453f3a9561699e6f4eb2f62e9c84acc847a3f3c46ff70bd7a85cf910ab9690ab9b