Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 01:01
Behavioral task
behavioral1
Sample
781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
Resource
win7-20240903-en
General
-
Target
781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
-
Size
65KB
-
MD5
21c540f78bdf821f2f1af733520c7ac0
-
SHA1
dad78580707815d02ef375d7e6645d13d388aaed
-
SHA256
781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbed
-
SHA512
dbcf9d5589010e6b9d7bfab28fcf4b4af413f6a31cd8e0e818751685cbd8e539b9eb9ea95df1e0052cd5e973cfaabfb33418b5b36393a51e2588ac347853b030
-
SSDEEP
1536:hd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:RdseIO+EZEyFjEOFqTiQmRHzl
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2524 omsecor.exe 2020 omsecor.exe 2452 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2492 781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe 2492 781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe 2524 omsecor.exe 2524 omsecor.exe 2020 omsecor.exe 2020 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2524 2492 781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe 31 PID 2492 wrote to memory of 2524 2492 781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe 31 PID 2492 wrote to memory of 2524 2492 781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe 31 PID 2492 wrote to memory of 2524 2492 781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe 31 PID 2524 wrote to memory of 2020 2524 omsecor.exe 34 PID 2524 wrote to memory of 2020 2524 omsecor.exe 34 PID 2524 wrote to memory of 2020 2524 omsecor.exe 34 PID 2524 wrote to memory of 2020 2524 omsecor.exe 34 PID 2020 wrote to memory of 2452 2020 omsecor.exe 35 PID 2020 wrote to memory of 2452 2020 omsecor.exe 35 PID 2020 wrote to memory of 2452 2020 omsecor.exe 35 PID 2020 wrote to memory of 2452 2020 omsecor.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe"C:\Users\Admin\AppData\Local\Temp\781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5aa2c86fd763014630a67ddf397818d45
SHA1fa521f069005025be29a1fa8b2c73a4e23bf6731
SHA2566184d19b82a55b330db3719e32bf6be063fc390078ea1d15a150d12c0571ba1d
SHA5125a171ffdf77d089503d56fbe94c731d14cc6260cc7f60a23bebe4640f10c52c6c60acf572b1d5fb009ecdacfd9fb3df838a202b658c4865d94561e7dc4867919
-
Filesize
65KB
MD538774e4d6c0db08725122be4fd407463
SHA19e8908bd43e73b1d0be87fcedd77e368d581cc11
SHA256258fc8cf69a98d349712430d29b532f46898748419940acab9c6504fbfafe17c
SHA5127d04cdf63e280a0d6f5c6843e4de1981bd537c4bcac246290ce8ba70ecb6b6e228ba03cb3f78b0f63ab7aa8cb016355f42612666415c7a9b74e879795f0d1be1
-
Filesize
65KB
MD5b73483edd5abf43668042268ca357046
SHA138cdcad2a1326391fe3b7b5f3f39d615d30b7614
SHA2563cecfee64dec375816a314d36058b0266f6758f03f18a042549780b1596ccac1
SHA512bb98d26a5253148a240f6f818408f8b9847e453d0611f74566fe93e50c38f87fccf65fc77cd303f91ae73f38d2c5b2d6038f2a77d0a75dc93b3fe1ce0daae9cf