Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 18:26
Behavioral task
behavioral1
Sample
1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
Resource
win7-20241023-en
General
-
Target
1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
-
Size
65KB
-
MD5
c064549c82649f9e5e14e6fa3c6c011d
-
SHA1
459b8287523fe2a9bb354076b0b028d8fea5e52e
-
SHA256
1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6
-
SHA512
b71ca64e5513b60ae5ddd3e4f8fce324d1a32be6a463e5d802f46a8f41ea3fe05bb22f4ea647fcc2ef229d675cd2fa61d32dbc365f172154892d4d9e74ff4963
-
SSDEEP
1536:4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz/:IdseIO+EZEyFjEOFqTiQmRHz/
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2132 omsecor.exe 2360 omsecor.exe 1748 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1048 1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe 1048 1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe 2132 omsecor.exe 2132 omsecor.exe 2360 omsecor.exe 2360 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2132 1048 1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe 30 PID 1048 wrote to memory of 2132 1048 1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe 30 PID 1048 wrote to memory of 2132 1048 1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe 30 PID 1048 wrote to memory of 2132 1048 1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe 30 PID 2132 wrote to memory of 2360 2132 omsecor.exe 33 PID 2132 wrote to memory of 2360 2132 omsecor.exe 33 PID 2132 wrote to memory of 2360 2132 omsecor.exe 33 PID 2132 wrote to memory of 2360 2132 omsecor.exe 33 PID 2360 wrote to memory of 1748 2360 omsecor.exe 34 PID 2360 wrote to memory of 1748 2360 omsecor.exe 34 PID 2360 wrote to memory of 1748 2360 omsecor.exe 34 PID 2360 wrote to memory of 1748 2360 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe"C:\Users\Admin\AppData\Local\Temp\1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD56dc0c0d399ad51bf668a3e6b84e245b9
SHA12bfe704383f4b9292b7333e1013d9ab60b0799e3
SHA2569c4c06a94e894ee309b6fad5e0e4cf8e17f02360605a38a5f11752abf9c6cb08
SHA512967782a834a512466a7a2932d9d6a04202e0fb9b6fb4a1a12c1e014ccd954d0193343f295a0f03dd44c22dd7837ca6a67a6da31ca4321afb64c9c10e374f2543
-
Filesize
65KB
MD5a4afa73a120789b79866439e80615aff
SHA13d2c27342bef2f3b2b001a31937953a27f42a035
SHA25641c12c5a13626fd9c4326a3b25cac1e07bb069750250b30914088844630b7943
SHA512934ba1dd0bea2aaf08b6d8a2e100869200269dafff79b66cf4c41ba890a7334fa2798d040292d2159fd089b0317388ffaa8c4821ece50cb1dfc2faba6c2edab4
-
Filesize
65KB
MD5c2e253d7050674f303bcfba555821da5
SHA16727fab7f9fed6ab5ebfa705cc8485b4d78cfc66
SHA2560db6d104d698dbe57ec22f2ff2006d8ae2fbe106722d58c0c44706505eaaff29
SHA5128d0627536237c7f40e265bdc79e1b6e95c319fc61ce063572b47be0f1372155e2d148a65cb0c9275f4aefd471308d988f8c9503b1d1332b8625ff0df709cd84d