Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 23:26
Behavioral task
behavioral1
Sample
8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe
Resource
win7-20240903-en
General
-
Target
8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe
-
Size
72KB
-
MD5
e834652c7d8b9c50ec3808e8120392b0
-
SHA1
4877b6cf5497b81a3a1e70854d64f63bc7d4fd69
-
SHA256
8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906f
-
SHA512
b78e5d99e5ddb3afe7883054694bcdfc86a810620bb47e62eb6e86d93cae2394cfd447b64ee2de0d5a723fd692fbf5698a8fa64e59ddac5e44d3f2cc0f2dd784
-
SSDEEP
1536:9Rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211v:jdseIOMEZEyFjEOFqTiQm5l/5211v
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2912 omsecor.exe 1840 omsecor.exe 1144 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2072 8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe 2072 8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe 2912 omsecor.exe 2912 omsecor.exe 1840 omsecor.exe 1840 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2912 2072 8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe 30 PID 2072 wrote to memory of 2912 2072 8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe 30 PID 2072 wrote to memory of 2912 2072 8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe 30 PID 2072 wrote to memory of 2912 2072 8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe 30 PID 2912 wrote to memory of 1840 2912 omsecor.exe 33 PID 2912 wrote to memory of 1840 2912 omsecor.exe 33 PID 2912 wrote to memory of 1840 2912 omsecor.exe 33 PID 2912 wrote to memory of 1840 2912 omsecor.exe 33 PID 1840 wrote to memory of 1144 1840 omsecor.exe 34 PID 1840 wrote to memory of 1144 1840 omsecor.exe 34 PID 1840 wrote to memory of 1144 1840 omsecor.exe 34 PID 1840 wrote to memory of 1144 1840 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe"C:\Users\Admin\AppData\Local\Temp\8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5f81810a12b8facfc00410541399bf630
SHA14022948bdc69efaf5c9f9d20b02d84c8f72385d6
SHA25646e1d6b5bbd081143431128b858697035e6473cb76ca111d9a154b61a2d66744
SHA512f7beedc2ee5bf5a48a8b5a5d71aab8aa4095d46b0f8b027f9295bef3c3b9a667037ca232586e0eac39e4ec051fd26724482d971430d18564fee29c5e764f8c4b
-
Filesize
72KB
MD53bfd87464c55b144c56b3fc8f6652516
SHA1638730eaac7a549746fac30878b9f747f4310626
SHA2561cfdb331aa21c4e0d203a0483135f772d49f6073a31c5087e877f2fcaddf262b
SHA5129bd6424b36a9e9cb9ec0c1063b31c035b2fab00322599ea755da3a3987aeb8f0169b989f20dfefd4d8c95945cabb8e42167489a91c2fff4b8a52ef59f5e7a0b2
-
Filesize
72KB
MD5e62a2efb904d6fc9c2f55c762a8bff90
SHA1504dc8931ec4f42339774482a8d3f326838d7f79
SHA256e14d8b3654c2b927ad33b098b486bb8ea8731801c7c2f15fe39f89fc42bd836b
SHA512e7bd80256f5472b8b707e2d238dab46a538a9aea9b293455c70b82e6a822e2021dd2fec25d5cedcdee44b22922c293c45d70c024e90f098335c77aeb6cbf28d2