Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 11:32
Behavioral task
behavioral1
Sample
fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe
Resource
win7-20240903-en
General
-
Target
fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe
-
Size
71KB
-
MD5
313ec61c311f87ef3513914163905a08
-
SHA1
74fde2d922688492f12d0c91839021ae9b5b7c37
-
SHA256
fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14
-
SHA512
f4303ae873e2449b6043b65252e8c764687d61852278ba19ac63c4384eb507a16374f67d6e1c675ba7ac34a2e921af063918deb37f36b8ba0121805720679219
-
SSDEEP
1536:Kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHP:KdseIOMEZEyFjEOFqTiQmQDHIbHP
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1140 omsecor.exe 2956 omsecor.exe 2844 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2468 fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe 2468 fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe 1140 omsecor.exe 1140 omsecor.exe 2956 omsecor.exe 2956 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1140 2468 fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe 30 PID 2468 wrote to memory of 1140 2468 fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe 30 PID 2468 wrote to memory of 1140 2468 fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe 30 PID 2468 wrote to memory of 1140 2468 fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe 30 PID 1140 wrote to memory of 2956 1140 omsecor.exe 33 PID 1140 wrote to memory of 2956 1140 omsecor.exe 33 PID 1140 wrote to memory of 2956 1140 omsecor.exe 33 PID 1140 wrote to memory of 2956 1140 omsecor.exe 33 PID 2956 wrote to memory of 2844 2956 omsecor.exe 34 PID 2956 wrote to memory of 2844 2956 omsecor.exe 34 PID 2956 wrote to memory of 2844 2956 omsecor.exe 34 PID 2956 wrote to memory of 2844 2956 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe"C:\Users\Admin\AppData\Local\Temp\fe4a6444fcf0504a6d3a48072244167145d4d191e0fced191ff7b263119d4c14.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD58522e285a5a2fb0a15854913271975e2
SHA16389ba9a271aba9be85b495d1a7dd71c0720d2ff
SHA2565a74886b44ec251baa92861bb51d265ce48dc712b11426e707cbf71e898033b4
SHA51267cb120a5e1b9082c2de2b07e90fca72189156d1f53dae3a0114816dcb3582ded94172500a90e8723f878f42c3240422cfd7873d2f5497197ee512ab32c85114
-
Filesize
71KB
MD56e078b194dfa9d4857ab93bf1a81eb8a
SHA15f94a9644b54d14ddf54a1b60d41fbe8271206ef
SHA256c5b82e3852a61fc7ff4b23aa89c91f38fc454bd46eff77325958783b4cf04f5a
SHA51297f3b712351a18ca78dece26e7c37bbe33d3b7df098ffeb0db3f3a882623cc7256d64c8a409bfabce2907770428faa5cb3631fea8bbf7ac6f878003a26b67d50
-
Filesize
71KB
MD5bd6cc2a7451a341ba7732e3d73b80e69
SHA1939d8685f1165c45da045d0855315d0aa0eb8c3f
SHA2562d741f2ac302e6f45073cad1f06544c18ffc6c29069de4857b6ec9b98ba6b6e5
SHA5125b9fafde6bca26abb6db93a0ce3c1347db71c0f095bcb111b9efe39e27b333032643ba2492796efc40834eb819eaced902a8ee1bda70f43484ba7f90d6ce86ad