Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23/01/2025, 22:34
Static task
static1
Behavioral task
behavioral1
Sample
eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe
Resource
win7-20241010-en
General
-
Target
eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe
-
Size
33KB
-
MD5
2afbf5ef5dbe767a28fc8701c5de7180
-
SHA1
975711a9549ee7116a47938a5d114915ceeddd97
-
SHA256
eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432e
-
SHA512
f221de6a18771b8cc25d4109132a7426f1efa08e1b5d62b7dafcfd1ad50a3015d290dd4bac64d062c125f87273550d01ad4649d19cca850938800f77ea5fd674
-
SSDEEP
768:afVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:afVRztyHo8QNHTk0qE5fslvN/956q
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 636 omsecor.exe 3060 omsecor.exe 1928 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 108 eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe 108 eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe 636 omsecor.exe 636 omsecor.exe 3060 omsecor.exe 3060 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 108 wrote to memory of 636 108 eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe 29 PID 108 wrote to memory of 636 108 eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe 29 PID 108 wrote to memory of 636 108 eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe 29 PID 108 wrote to memory of 636 108 eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe 29 PID 636 wrote to memory of 3060 636 omsecor.exe 31 PID 636 wrote to memory of 3060 636 omsecor.exe 31 PID 636 wrote to memory of 3060 636 omsecor.exe 31 PID 636 wrote to memory of 3060 636 omsecor.exe 31 PID 3060 wrote to memory of 1928 3060 omsecor.exe 32 PID 3060 wrote to memory of 1928 3060 omsecor.exe 32 PID 3060 wrote to memory of 1928 3060 omsecor.exe 32 PID 3060 wrote to memory of 1928 3060 omsecor.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe"C:\Users\Admin\AppData\Local\Temp\eab27175133c089656aac5da13dca473893cb19d716ad9dd38fa418c006c432eN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD56ebe0d517cdefd525ba0adcec138185d
SHA19c03bd2d4e73f5e3464d260838935efd84eb337f
SHA256e9255546d4d855b5d2cb6db52f31a2dac6395fc9c566ae078f96334585ad631f
SHA512c3f4592a72b4ea6138fde53eb355821d74f7a4670faaec2d47475288b850bc4792f53d18378fa210422146510294576117d016321d87b3f006b9e7552948e699
-
Filesize
33KB
MD5cb78ac53443e5cdc20e5ce1db02bfabe
SHA1e9e81d12822053cd40b9dda45ff3fc45006c9e31
SHA25650f4c862d08ebec6b278ff9fb6b9cd60863bc77a3615c00969941bbbfa6e77df
SHA512c2100e9c21efed31f3df618d6e56333ae0e1acb589c0f62e8ee25858b84d4c1013c6202327cb855b2117b05214ec52fe98aa3332897141843dfb5c76e73e6ceb
-
Filesize
33KB
MD50e3ff9fcb1684843008e837db6310fbb
SHA16e719b526fa1c932b07203895b13755273351f28
SHA25639ccf1d55e6e8922b4ed2866d4d07a90211e1893bc89a5c1184f28d4ee703134
SHA512c46fc9993c68479a622e3304369a25d1a90ffec6ca059e9ec3a3f5d4a7b7d16d9a984b0599d69888537ac5595cbbbf0d30241e0a274f6907183bfd3b45bfa0fe