Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 05:22
Behavioral task
behavioral1
Sample
c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe
Resource
win7-20240903-en
General
-
Target
c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe
-
Size
71KB
-
MD5
71bb744abacc0cc2d91122f40518e400
-
SHA1
2696b4941186d1311c3fbcd6e9c821bce6be5cbd
-
SHA256
c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071
-
SHA512
fd6043c84c4ea3d077f25cfc663cc0383bc526d4845ab251c803854ad9051db6d612d472a6d1fff667843627861d9e72648581eabbff962545ac4432ee1ea840
-
SSDEEP
1536:/d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:3dseIOMEZEyFjEOFqTiQmQDHIbH
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1748 omsecor.exe 2820 omsecor.exe 2976 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2536 c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe 2536 c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe 1748 omsecor.exe 1748 omsecor.exe 2820 omsecor.exe 2820 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2536 wrote to memory of 1748 2536 c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe 30 PID 2536 wrote to memory of 1748 2536 c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe 30 PID 2536 wrote to memory of 1748 2536 c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe 30 PID 2536 wrote to memory of 1748 2536 c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe 30 PID 1748 wrote to memory of 2820 1748 omsecor.exe 33 PID 1748 wrote to memory of 2820 1748 omsecor.exe 33 PID 1748 wrote to memory of 2820 1748 omsecor.exe 33 PID 1748 wrote to memory of 2820 1748 omsecor.exe 33 PID 2820 wrote to memory of 2976 2820 omsecor.exe 34 PID 2820 wrote to memory of 2976 2820 omsecor.exe 34 PID 2820 wrote to memory of 2976 2820 omsecor.exe 34 PID 2820 wrote to memory of 2976 2820 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe"C:\Users\Admin\AppData\Local\Temp\c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD503cb7f6f015752357265d67fc886541b
SHA1a3271d6c2551f5b556262002cc0d779974b54889
SHA2560b40578b66ec87d50aefaebf463ea6f0b80ee7d83cfb145e5733a1fba0600dee
SHA512067c76adca86db50ab4ec96545f58cf112d6ecb662ae3173ae50ec4038aa36dd4c8b1979233955951249111f846550e9d9ae54829c0b1a462ca1218698302075
-
Filesize
71KB
MD543716656be78b43c454bf4853e7079eb
SHA14578766c817cf11d2ba9c2614bf5c08b5a8ff9e0
SHA25684266add1ab8fd8a0b251e06c86e4f918143f65b339ef07084cfe214313a2c27
SHA512cf0f7ea5a28958a2c57179b104cc525e3eb3f9396eb24c033b67555e92d1d565e41a4494a32e3184f6d663c10eed1aff402d11b7d88ac380d86ac58b76d3663f
-
Filesize
71KB
MD5dcbd02018759431fee4ab459d83f6717
SHA141442f3f0c8bdf8b497f2d69af2bb7e4acc4c1ad
SHA256daf0a38d55c38fb7e4ae5422ca8d5b82c4f7691865ec3e1fab5c10d7e4b2c98c
SHA512200284ebef5037aeb3cd6ed2997a21212150fd6480b91b4f6f0f0c96dfc78de048db540527681ce40c055f67ccf991b3b125cc585c076046cca66075b131747d