Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 15:37
Behavioral task
behavioral1
Sample
6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe
Resource
win7-20241010-en
General
-
Target
6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe
-
Size
61KB
-
MD5
2d6d5374de73373cbc7625527ee63110
-
SHA1
2f56053b9adf1f48739dd47062ce8df726329f01
-
SHA256
6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571
-
SHA512
fd607c5a9dec7262a64234ce76a2fb1569217ec606fd7d402677c07e7798ae3c93bcd0a4bcbce0879bbc67d10e10751f6f9773073afeec9216e7936225d079f3
-
SSDEEP
1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5n:XdseIOMEZEyFjEOFqTiQmTl/5n
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2368 omsecor.exe 1784 omsecor.exe 2316 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1740 6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe 1740 6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe 2368 omsecor.exe 2368 omsecor.exe 1784 omsecor.exe 1784 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2368 1740 6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe 30 PID 1740 wrote to memory of 2368 1740 6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe 30 PID 1740 wrote to memory of 2368 1740 6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe 30 PID 1740 wrote to memory of 2368 1740 6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe 30 PID 2368 wrote to memory of 1784 2368 omsecor.exe 33 PID 2368 wrote to memory of 1784 2368 omsecor.exe 33 PID 2368 wrote to memory of 1784 2368 omsecor.exe 33 PID 2368 wrote to memory of 1784 2368 omsecor.exe 33 PID 1784 wrote to memory of 2316 1784 omsecor.exe 34 PID 1784 wrote to memory of 2316 1784 omsecor.exe 34 PID 1784 wrote to memory of 2316 1784 omsecor.exe 34 PID 1784 wrote to memory of 2316 1784 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe"C:\Users\Admin\AppData\Local\Temp\6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD57838514e3189111da1d47ed6422e0ef0
SHA1af409beeb187e04417b161e7e187feb94fd480ac
SHA2564ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5eda
SHA512fe553727ed52dfcfede0d3d7125cc5ffed473a1832d67fb34768b99ad977dd95a256292b178c7dc2d82411368a701c32e9658fefa31c32230d78ed2a1c922884
-
Filesize
61KB
MD51ae95c59e2970d5101cdf175b7ac1c52
SHA125f91a69f98b3c48e78ca9adbcd941355f663cef
SHA256f13c99122e8bb867ff8bf4ca3341cb16bbc74218323c1a0a35f33b39873b17a4
SHA5123b0a97a0cd4d2299e5f6be440e9684052e377dea6564cd9e18c9ca19d16e91a04450f994a92efa697291117f25fac055a03de9c6cfe46c2267a981b01ff8e659
-
Filesize
61KB
MD52c3c397555363005d0e9494e8cfa3719
SHA1cd7f48382af485bd4a8d8060a15b0aff310af6f2
SHA2565f0640ebb1e0839e3eff261699ac7aa7a481a3e8c77e8a7054d4e61e430d700f
SHA51248e647d1e2987591aee44882bfd89c96e6756caf9ecc43e310d482a2a7c977e5c15e0ff8f7f224154e77760700f9a0e23f7e78748e35c33bb4b8cff5c3e30bb8