Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 15:46
Behavioral task
behavioral1
Sample
52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe
Resource
win7-20240903-en
General
-
Target
52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe
-
Size
61KB
-
MD5
35ee24e737e63d87c27fa95ee96c7360
-
SHA1
aa84de4d09780c3df094825a5e0644398a1b8bd9
-
SHA256
52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02
-
SHA512
06563c4edcbf12afb6c8b0ec179fdefc16196be9f8f36d48c5ea6f7b9b95a84ba9597095b3e740ace153f9460edfda004c697700e89bbe90dc72e0aa471c7d95
-
SSDEEP
1536:bd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ1l/5:rdseIOMEZEyFjEOFqTiQmXl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2428 omsecor.exe 1224 omsecor.exe 2796 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2420 52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe 2420 52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe 2428 omsecor.exe 2428 omsecor.exe 1224 omsecor.exe 1224 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2428 2420 52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe 30 PID 2420 wrote to memory of 2428 2420 52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe 30 PID 2420 wrote to memory of 2428 2420 52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe 30 PID 2420 wrote to memory of 2428 2420 52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe 30 PID 2428 wrote to memory of 1224 2428 omsecor.exe 33 PID 2428 wrote to memory of 1224 2428 omsecor.exe 33 PID 2428 wrote to memory of 1224 2428 omsecor.exe 33 PID 2428 wrote to memory of 1224 2428 omsecor.exe 33 PID 1224 wrote to memory of 2796 1224 omsecor.exe 34 PID 1224 wrote to memory of 2796 1224 omsecor.exe 34 PID 1224 wrote to memory of 2796 1224 omsecor.exe 34 PID 1224 wrote to memory of 2796 1224 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe"C:\Users\Admin\AppData\Local\Temp\52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5577f059c6c48fc39a92e302ef3b7349b
SHA1f0674c888ec23370f1db3081da5ce7cb54b6ba24
SHA2562901f24c3a56f741b47f4d5c9f93345f427bf0998f5c6c3e1d0bca2e19f39a63
SHA512062ac56d31a62051d3dacb592a716cc0a38ed403e7bf00d54eae412d5648e9f35f3bc0a297d5167d8b383e325b2ad364cbc2ec9bf7361f58d151963a7d048651
-
Filesize
61KB
MD57a384af94f1dbc30d2c6b92fcf031258
SHA1618c56e9cf25e9464f481c65a99413a6dfe6337e
SHA2567f5e19864ff54b3bf78cbd21f7f4b99b12dcbb20c97de62e8b33b58db2b0d018
SHA512382b020feb2600efed147f054a616596fd310305d8c11ab5cc72b23761c2a857d63ebcf5db975866f01d0abcc206b56ef46b0534f524498abae7e504524c1ee9
-
Filesize
61KB
MD510a6c054af226531930ba793a0897ff4
SHA1ed8002d66b8eee9771b01e533018290963823369
SHA256dfb7a7d67d4d829fd481ca844a491b44a326134a02a52a50fbfc20e87fe7205e
SHA5122934c2cf32e7fd54733c05c769ec5252197331133e965ad2c84a7b05c508b4ad8ef6b97733e93b0100c44ae41559db35b788027c3f7376808e905118f17e8b33