Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 03:28
Static task
static1
Behavioral task
behavioral1
Sample
240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe
Resource
win7-20241010-en
General
-
Target
240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe
-
Size
33KB
-
MD5
6b4a87610d7192ec35123b4f22ffa960
-
SHA1
2e82ed58a2647815bf7c347e428bfd39d75f3e82
-
SHA256
240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70d
-
SHA512
b7656415066d4bacfbc9c985330130ce7258b33dfb637f4e97c9d557d33ac3905e9bbaa180c92b03f23c00ef6b3a1155b5c2660aa7aee401ccf01db4c221467f
-
SSDEEP
768:jfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7DJ:jfVRztyHo8QNHTk0qE5fslvN/956qw
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2012 omsecor.exe 1492 omsecor.exe 1564 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 3056 240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe 3056 240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe 2012 omsecor.exe 2012 omsecor.exe 1492 omsecor.exe 1492 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2012 3056 240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe 30 PID 3056 wrote to memory of 2012 3056 240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe 30 PID 3056 wrote to memory of 2012 3056 240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe 30 PID 3056 wrote to memory of 2012 3056 240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe 30 PID 2012 wrote to memory of 1492 2012 omsecor.exe 33 PID 2012 wrote to memory of 1492 2012 omsecor.exe 33 PID 2012 wrote to memory of 1492 2012 omsecor.exe 33 PID 2012 wrote to memory of 1492 2012 omsecor.exe 33 PID 1492 wrote to memory of 1564 1492 omsecor.exe 34 PID 1492 wrote to memory of 1564 1492 omsecor.exe 34 PID 1492 wrote to memory of 1564 1492 omsecor.exe 34 PID 1492 wrote to memory of 1564 1492 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe"C:\Users\Admin\AppData\Local\Temp\240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1564
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD590c7fd5f1e2ac396dfd57f1d98bf9bf6
SHA1407bf80c51b5e03816cc085739d12dcc58ec1feb
SHA256821ae93fb9c0dfa68fb59e7d28c1bfadf4da3650a14876ff61b8125b781bdda4
SHA512da456fe1fe51ce7c19a429fa0b85de82a364741cf7ddab29f73d8e29c2a6366111254057e4d2e30d58b0e8ebc2e0a92b041e4f3354dd770c3eb87bbd328f6bcf
-
Filesize
33KB
MD5a6fd68d59f3405fb54d619825b9ccda6
SHA106b89763bd13a5d4ba8267b487a1541ef2f26eb8
SHA2564babfc0462a134f60b4f57604525af2012515c4c1be6e9dbb4b51a16cd1370d5
SHA51276af982a5f56fc3e293250d8bcb42502d8939487935f8833c1705b251660cf8e0464052f89f163743f74f77c5388890a863b8c0267061aee395488844c151371
-
Filesize
33KB
MD5449970832ad8c542a6164b53d1a99507
SHA11dd83980e19a5df76f5e6ec13a256bb8287fcc12
SHA25604d3cd4d851ee9066459066877f2d593e266cbfc59bcf0b09b46cdebb049ac0f
SHA512bcff716e3f9186af62dbd6dae27f75e83c030b517b9894a95d9d08bb5f1898148163cf5dd1538e19db9e19b1244d9c370335a4653eaecb13862cae2cce07b69b