Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 16:57
Behavioral task
behavioral1
Sample
43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe
Resource
win7-20240903-en
General
-
Target
43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe
-
Size
76KB
-
MD5
1076a4ca22700c9bd3071b3f5be10fca
-
SHA1
9f3ce9cf20ee6b47676cf2cdee7dbaffb2e41880
-
SHA256
43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03
-
SHA512
092873c0450e21eb8adc6f4d103dca5995e1f356baca69b8f1ee78c4c7695dcd21667b8a32f20bccf7d0041aabdd2569dfcd335a010af7fbbcfcf3bc667aff2a
-
SSDEEP
1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11V:kdseIOMEZEyFjEOFqaiQm5l/5w11V
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1668 omsecor.exe 2064 omsecor.exe 1676 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1056 43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe 1056 43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe 1668 omsecor.exe 1668 omsecor.exe 2064 omsecor.exe 2064 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1056 wrote to memory of 1668 1056 43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe 31 PID 1056 wrote to memory of 1668 1056 43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe 31 PID 1056 wrote to memory of 1668 1056 43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe 31 PID 1056 wrote to memory of 1668 1056 43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe 31 PID 1668 wrote to memory of 2064 1668 omsecor.exe 33 PID 1668 wrote to memory of 2064 1668 omsecor.exe 33 PID 1668 wrote to memory of 2064 1668 omsecor.exe 33 PID 1668 wrote to memory of 2064 1668 omsecor.exe 33 PID 2064 wrote to memory of 1676 2064 omsecor.exe 34 PID 2064 wrote to memory of 1676 2064 omsecor.exe 34 PID 2064 wrote to memory of 1676 2064 omsecor.exe 34 PID 2064 wrote to memory of 1676 2064 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe"C:\Users\Admin\AppData\Local\Temp\43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5813832ed98234dc5dc897d8c67b54771
SHA13af5098ef770ce3df082fdedd62f6bf235466963
SHA25622dcdc423c734f3ea7a9c38b5c6301e0c63ba56ab41f79afd284a75b6dea39a3
SHA5121e4dc7ee1506dfff1ebbdd50e7fed490ae5b9085ff34fc35d913fd04041996859527c37ada542192c6768821cd22b7300587ffd0d9f0a93ec6374be62bb26b0d
-
Filesize
76KB
MD56698cd666ef824ab7ba8e929315b3b4c
SHA18cbe3c347b28cd117ac5a20aa914796224736268
SHA256cd6268a8b4178cc592abb5a4ab7a8aa97b26d32f4fe7476c9d9d964dfdcba9ab
SHA512be3ee3129344b4d95e7a282ca1c5ab57007d07478a35b7b715049706bb69044770139dbe6cd2ecbdd33d9564767abb02f1aa1d71de8c903ac3d64077bdf7fa4f
-
Filesize
76KB
MD5f70fb2b68500c2414c85b2598bbfdc46
SHA1741657dea050306f32b96e12bc3668c15e9a4434
SHA256852882a3cb356c2b7a71bda35e57fbc0f62248ca42f0ba7170f39c1a0bb88055
SHA5127556d17f3d5d5795171bbb0faec6ab9872921aaf6dd30c54714e5183abaa046ea6cadb4f7c6fd08f7507832ea9cc51b317b50512275456374842050663ffe762