Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 16:27
Behavioral task
behavioral1
Sample
4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
Resource
win7-20241010-en
General
-
Target
4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
-
Size
65KB
-
MD5
e61c59c5b1a01e9e2a31877ed0d17600
-
SHA1
c8058a611ae1788aa0bbb8ff1559bc3b58b350a7
-
SHA256
4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820
-
SHA512
eadc80af64e8ea5220b76be7e2e99ac15797c009c0878c64959b60ed415e892671122b4c1a101d695b4c776a117cc2997a57b06304b949eb3d4c02408395f8b0
-
SSDEEP
1536:Gd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:+dseIO+EZEyFjEOFqTiQmRHzl
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1824 omsecor.exe 2524 omsecor.exe 872 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 3052 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe 3052 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe 1824 omsecor.exe 1824 omsecor.exe 2524 omsecor.exe 2524 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3052 wrote to memory of 1824 3052 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe 30 PID 3052 wrote to memory of 1824 3052 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe 30 PID 3052 wrote to memory of 1824 3052 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe 30 PID 3052 wrote to memory of 1824 3052 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe 30 PID 1824 wrote to memory of 2524 1824 omsecor.exe 33 PID 1824 wrote to memory of 2524 1824 omsecor.exe 33 PID 1824 wrote to memory of 2524 1824 omsecor.exe 33 PID 1824 wrote to memory of 2524 1824 omsecor.exe 33 PID 2524 wrote to memory of 872 2524 omsecor.exe 34 PID 2524 wrote to memory of 872 2524 omsecor.exe 34 PID 2524 wrote to memory of 872 2524 omsecor.exe 34 PID 2524 wrote to memory of 872 2524 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe"C:\Users\Admin\AppData\Local\Temp\4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:872
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5e66166e6715e0b25409501a4a79fb9fe
SHA1748b5630da2fc1b85bc8333807d431a37a814695
SHA256c9731ed55fd8f2d6402dc686301eb46787648a1dbbc0be8b519dc08d43597481
SHA512b3c13823e6e99a5d393d3e6fc886babc49340ce64b6a39e41ebb6c01eb1409e1d0328f90c64edfcace4e3f2f321a6fa8eff16dcf5b17129acbf4a31201bf9b18
-
Filesize
65KB
MD51e84a6e10f2eed342b1e56e1822fb3a7
SHA170f9247a0d69dff58d58fd34ee042e8bcf97f661
SHA256aadbf4a32530e19514963b21ea873d660683e05861b975cc997b40d5b5da223e
SHA512cdbc37ee0e79cc580db2ba3d35c9740e99336d81001ca0fb04606db409a23de103e34b86bd58060b546c36611de97e68325fe23590bafaff0519ae3fb1c35610
-
Filesize
65KB
MD50c83c0f52d29b7f55388639e419887d4
SHA1ef4902ed18a81b9a62e9379b8c98596ba16bb9f5
SHA25679e795096108dd4a86b357bbba338a75ba6a8796ba497806ead70c42208b71f8
SHA5123dea41401ff85acfc36c247683bc413531da9129378782ae4fb13212741a1299d8a8785dfe7d8e0acf3b10df6e559f75a39c523866a00be4c6a600c287a198df