Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 00:06
Behavioral task
behavioral1
Sample
5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe
Resource
win7-20241010-en
General
-
Target
5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe
-
Size
76KB
-
MD5
e625719f383b6b647d52a79ca97e1340
-
SHA1
c880a72b4edb2318640e08bc3c5d94ce2279280f
-
SHA256
5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02
-
SHA512
f4e9a93ea055a58973e8adab385e2a01565206bfb657c4dcc36aff8341da27354df94a4bc95f257c988be0bd5cdd2ebf9bd41dc5d4baa92f77a9a5b1f97ecc78
-
SSDEEP
1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11b:XdseIOMEZEyFjEOFqaiQm5l/5w11b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2856 omsecor.exe 2728 omsecor.exe 2396 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2796 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe 2796 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe 2856 omsecor.exe 2856 omsecor.exe 2728 omsecor.exe 2728 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2796 wrote to memory of 2856 2796 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe 30 PID 2796 wrote to memory of 2856 2796 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe 30 PID 2796 wrote to memory of 2856 2796 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe 30 PID 2796 wrote to memory of 2856 2796 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe 30 PID 2856 wrote to memory of 2728 2856 omsecor.exe 33 PID 2856 wrote to memory of 2728 2856 omsecor.exe 33 PID 2856 wrote to memory of 2728 2856 omsecor.exe 33 PID 2856 wrote to memory of 2728 2856 omsecor.exe 33 PID 2728 wrote to memory of 2396 2728 omsecor.exe 34 PID 2728 wrote to memory of 2396 2728 omsecor.exe 34 PID 2728 wrote to memory of 2396 2728 omsecor.exe 34 PID 2728 wrote to memory of 2396 2728 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe"C:\Users\Admin\AppData\Local\Temp\5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD57ee49d0d86e97854e51f91a421849168
SHA175b50ef899f91312cf359ec52ad3ba66a991019c
SHA2560f2741b54aad10152414c3fbd48175dfd77bedf269f6ced5c104f75b431ebc94
SHA512833c77342f6aa5b1d0bfdd2b9d7b2ab52c227c70fe8602081893a79aef61e4e6dfa36e10f8de3f3660cdf5da102df635357d21e8c2211a75f03ab9140472a6a1
-
Filesize
76KB
MD569424c5c06c21e81bc343c4a15fed719
SHA12545aeb62324271a46fec7b43aae031ad1adf97d
SHA256f2fc2eec15bf17b1a45b8c019f6541273a67ff3950ed86115b1eeb64e94cc47f
SHA512e24a49f8f1ccf522d97a4bf5dad923d1bb715080badb6181c536d3682945bfee6b108d8bf73a412e9b7766a9c27be1f7ffa3cd85fe3f25d86000b3a8e2123ed4
-
Filesize
76KB
MD551391bdcc6d571e55d6d653687d61d0e
SHA1f76d2f1d7ac5ab048da8927174a84c373cc144e7
SHA256414719e5b4912f07f95028af055450380d49b47962befddf75ccf12e207c52ed
SHA512c9900e00960638e3d085e4886ded197d02c93b002d109c47f1f3ec8d1259f8472bd66e73e753797e46ca4c81dba782dc81a557d29e1d69cf294dcaea7ca3e46a