Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 14:14
Behavioral task
behavioral1
Sample
1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe
Resource
win7-20240729-en
General
-
Target
1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe
-
Size
90KB
-
MD5
58ecb69d1c68c8f3834a96c026fea75c
-
SHA1
10fd25a7d6127caf506d93d03f9203bb78ca5ffe
-
SHA256
1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89
-
SHA512
116bb69fcff1f70d2ace23a90da1b6a1437286f92a6021a09621bcbb45e09ff2ba96d40b10c571186dcba2875582c609578ee43ef0829c45d6cf6f42a93f4e59
-
SSDEEP
768:vMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAe:vbIvYvZEyFKF6N4aS5AQmZTl/52
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2724 omsecor.exe 1260 omsecor.exe 2664 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2268 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe 2268 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe 2724 omsecor.exe 2724 omsecor.exe 1260 omsecor.exe 1260 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2724 2268 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe 30 PID 2268 wrote to memory of 2724 2268 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe 30 PID 2268 wrote to memory of 2724 2268 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe 30 PID 2268 wrote to memory of 2724 2268 1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe 30 PID 2724 wrote to memory of 1260 2724 omsecor.exe 33 PID 2724 wrote to memory of 1260 2724 omsecor.exe 33 PID 2724 wrote to memory of 1260 2724 omsecor.exe 33 PID 2724 wrote to memory of 1260 2724 omsecor.exe 33 PID 1260 wrote to memory of 2664 1260 omsecor.exe 34 PID 1260 wrote to memory of 2664 1260 omsecor.exe 34 PID 1260 wrote to memory of 2664 1260 omsecor.exe 34 PID 1260 wrote to memory of 2664 1260 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe"C:\Users\Admin\AppData\Local\Temp\1fe0a57e19d8488fdb8ac63f38cb0160bba134f5154cf35f230417751f85bc89.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD54ed3d5856ca1da4accbe0321d43650a2
SHA1fc258cf1a5f67449151524ca5ee534d29b938b35
SHA256d250e9333cdebfa981f332d98336d68d7c55145f042abb6f93f8ca80b19ec266
SHA512e46a4b6fc7007a9c98c7af128058f7359bf6603b47ef87113b2520b34cc0599c06a28f1699e510cccc61b9999a2d543242e07284c8eac61987b708a57c953db8
-
Filesize
90KB
MD54fb9fc5d656ee3b389e7d87339ad9cdc
SHA16cdf74964b23bd05bab35654d3c7baf6d53a945f
SHA2560f5ca57d108922ed644818c6c578fce5d2f6f35212812162f238b251b30865ce
SHA5126b280478142078487b37883607ec5811eb4477e2959e10e30f866345f04dda9f47045c7b2efa8542c1221b485f36d5ef3ec3007735e670a87da40201d1488042
-
Filesize
90KB
MD50a3e1de2722449bc27309bf05864bd1e
SHA1f751d5686b09a8c93b9b1c6003d40d75686271ab
SHA2568de26f7ba12a358c29be65104d25022de434750f5749ff9a2914baa4ad182261
SHA5120baa26fb18bc820948687820175b700cd92dfd2f4f4e6356fc8ad1198a2ee636692dbb05bf4795fdd3f4b03fb80074365ecba610a283aa71397105e3b095bf03