Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 08:46
Behavioral task
behavioral1
Sample
c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe
Resource
win7-20240903-en
General
-
Target
c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe
-
Size
61KB
-
MD5
5abcdf729097346ef78f2f0de622e985
-
SHA1
f8c651f1f42bfdae19805eedb6a8ed143c51e99f
-
SHA256
c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730
-
SHA512
1751a20c427b07e6728fe761762fd6240a15725866fedee9e922948e5ae1dd04d16a136df9fc5a16061cd64734e2dd6eb52b1bd95f504bf5e950c9c18c77ce0b
-
SSDEEP
1536:kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZEl/5:cdseIOMEZEyFjEOFqTiQmCl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2344 omsecor.exe 768 omsecor.exe 1848 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1372 c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe 1372 c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe 2344 omsecor.exe 2344 omsecor.exe 768 omsecor.exe 768 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1372 wrote to memory of 2344 1372 c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe 31 PID 1372 wrote to memory of 2344 1372 c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe 31 PID 1372 wrote to memory of 2344 1372 c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe 31 PID 1372 wrote to memory of 2344 1372 c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe 31 PID 2344 wrote to memory of 768 2344 omsecor.exe 33 PID 2344 wrote to memory of 768 2344 omsecor.exe 33 PID 2344 wrote to memory of 768 2344 omsecor.exe 33 PID 2344 wrote to memory of 768 2344 omsecor.exe 33 PID 768 wrote to memory of 1848 768 omsecor.exe 34 PID 768 wrote to memory of 1848 768 omsecor.exe 34 PID 768 wrote to memory of 1848 768 omsecor.exe 34 PID 768 wrote to memory of 1848 768 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe"C:\Users\Admin\AppData\Local\Temp\c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD52d90c64f5359bab5e38188d2ead0e30e
SHA13637462a38a68d410997fabdd311a6da2583ebd3
SHA256acdb6ffb5b73227e01134fcc7b7e6664dd5eff259f02a49e48dab614a1a25784
SHA512f83f581528e690ffad673f2a649b43a68a192c93698ed446f8599480384a8c67d36d02b863c03b19dd6c9cb8599e357175aba2399203c70b1f7b38c5990e67e7
-
Filesize
61KB
MD5f7186926392df209d756a3dec934e2b0
SHA1ad4974fbed0bd420a709f9164aab9f522bee9ba9
SHA2565dda8ce44d0f51ed6d74b23a71e0784420269470fa0af72dc663925b7c82bfdd
SHA512ff449e4a0146acb79042791d56d5f1567aea4dce0ea164cc3101befab748a2c53240a150929ec4c7a5392634da98619adb494affaebe12715e7160ddc21fc769
-
Filesize
61KB
MD596684e72929e45620dc0eaddde116212
SHA10497f802d9e35cf70c3602622cff282232fdb1d3
SHA2566e7b682b72c4331303f4e1139a61be158b2284d19706476c16b83c84812f48f3
SHA51200effaed0b1d51dde403bf3f13f90a916dbc534cbb373e35eccd139fccd0e5d7fed4cd47498308b55013c7040d7bdb52b7c0885eb25bbe9378d37bdad2512b83