Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
23/01/2025, 22:08
Behavioral task
behavioral1
Sample
8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe
Resource
win7-20241023-en
General
-
Target
8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe
-
Size
65KB
-
MD5
604765030c1e27ffb16c2845b8ecbffd
-
SHA1
3d627af1c443c50ee1fc3bcdc4f583b8912b1820
-
SHA256
8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488
-
SHA512
80bb3e2b412f202f10a185fc0321ea6413d9153194387aca2d402b0af028c6069382d8e07ae2888b4f721e6812e0c255181c9208c2933b5202f44d17c12dc955
-
SSDEEP
1536:Bd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzV:xdseIO+EZEyFjEOFqTiQmRHzV
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2356 omsecor.exe 700 omsecor.exe 708 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1512 8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe 1512 8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe 2356 omsecor.exe 2356 omsecor.exe 700 omsecor.exe 700 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1512 wrote to memory of 2356 1512 8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe 30 PID 1512 wrote to memory of 2356 1512 8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe 30 PID 1512 wrote to memory of 2356 1512 8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe 30 PID 1512 wrote to memory of 2356 1512 8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe 30 PID 2356 wrote to memory of 700 2356 omsecor.exe 33 PID 2356 wrote to memory of 700 2356 omsecor.exe 33 PID 2356 wrote to memory of 700 2356 omsecor.exe 33 PID 2356 wrote to memory of 700 2356 omsecor.exe 33 PID 700 wrote to memory of 708 700 omsecor.exe 34 PID 700 wrote to memory of 708 700 omsecor.exe 34 PID 700 wrote to memory of 708 700 omsecor.exe 34 PID 700 wrote to memory of 708 700 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe"C:\Users\Admin\AppData\Local\Temp\8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD53227b7de0cc359584baad0495fd4afd5
SHA12d3c0581537fb466ef47a23e56e6301bc13687a3
SHA2560fc3cf8e661ce29fdd951ac43ed1a664a143af057e58914cb3517c28a761eb18
SHA512e6248373848017d1218915ba6342e7c8ec5ded1051547ae71cb44b1e5d4e5bb6a020b35e92343353e36fcbd1f532ba274997ac65ca10653ddfaafdb54cd5f67b
-
Filesize
65KB
MD5c61391d38ec3fda7727c6c9a679101bb
SHA1e26044d505aa38d277929b4997aa5ef03634bb4a
SHA256466b1e000dcd9498cbc5173b47d8ba0ee1a88890cca2a983db663a7250aa01ea
SHA512fd3cd4d5164ccc609b620c9bc7b172e90f64cbbaa1a11da13c19a99a38f489a3825027a180ba5803bc1226c4be47badb6bfe11987cf86e8f81a7ee422a7fb8d6
-
Filesize
65KB
MD509c0bb6b5887d04ed0ec584f95ecfb3a
SHA145e25f35cf86c152a2f367c6ff3e36eca8079ca9
SHA2567de830457a9984369d11e2d186e6b8cfebc95d435df79eabcac4412e34a562c6
SHA512a0edf88995cf8bb111c8a217285860a51b5e6fec42385ffd6959650b672ffff95d022fb2ff9aaba581476e938ea8f39f0a11bd3d48c3bb878502478154bdbafa