Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 02:09
Behavioral task
behavioral1
Sample
54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
Resource
win7-20240708-en
General
-
Target
54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
-
Size
72KB
-
MD5
6fe48d5c17a51a1e1cdc580929ecf150
-
SHA1
4a9ef6964981bc925abaa5b71acba37ef701dc63
-
SHA256
54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bc
-
SHA512
f6343572658a44f6df4ae82ac8bd0804130baeb5621e3cafa8c6388e52dce08709f569f7aebdb2887c601d0a05a6ae4875d66c9c650e271cfb7c20b6150a3451
-
SSDEEP
1536:Jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211v:JdseIOMEZEyFjEOFqTiQm5l/5211v
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2008 omsecor.exe 1708 omsecor.exe 1116 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1948 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe 1948 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe 2008 omsecor.exe 2008 omsecor.exe 1708 omsecor.exe 1708 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2008 1948 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe 30 PID 1948 wrote to memory of 2008 1948 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe 30 PID 1948 wrote to memory of 2008 1948 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe 30 PID 1948 wrote to memory of 2008 1948 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe 30 PID 2008 wrote to memory of 1708 2008 omsecor.exe 33 PID 2008 wrote to memory of 1708 2008 omsecor.exe 33 PID 2008 wrote to memory of 1708 2008 omsecor.exe 33 PID 2008 wrote to memory of 1708 2008 omsecor.exe 33 PID 1708 wrote to memory of 1116 1708 omsecor.exe 34 PID 1708 wrote to memory of 1116 1708 omsecor.exe 34 PID 1708 wrote to memory of 1116 1708 omsecor.exe 34 PID 1708 wrote to memory of 1116 1708 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe"C:\Users\Admin\AppData\Local\Temp\54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5decd33de0b63b67571294e4a88b2cefc
SHA1cf09cb32e9b26448bafb5d3686da73ad5bfcd502
SHA25643d3e2ee9057a7588fb9511092d35a44974c5c54fdf1ff6f23e1d0acfd3231a3
SHA5120d1a5cec2485c107fd84d54fcab534d5288eacc2d5a7c3fad00adfe6a290538486b0263da315a1467217b8506f1887b3360ec114328d67f9eddec7c6562dc117
-
Filesize
72KB
MD5b1d73018087b94b6b79574a770a1e85d
SHA1cf54ccbc4b04a49e2dc7126d5267dbd6700c6975
SHA256f58f47cad8a9d8eb8bdae6253081490bde34046fdbc966b3ffa5c1c51a508c50
SHA5127492d78c2a2e61b3fc94c0780f88f0cfc0e51596e9c53111cba6e3af1faa403269dbdd247e80ed4de989152c3f5eff22fef812099c1f957f5e8bf10efed11f15
-
Filesize
72KB
MD5e050c36c631877f70478d3dee19e1f90
SHA1ade9528200d18a9ffc81960061921a9ee3bced07
SHA256c654099928ed37d1684fb2eec81d78bbac20d419de0d2292b1ef614fc1404890
SHA5123f4fa826f1160da2a8c4d6fd8d35c69b8fbe0ef8e05453f161f3d207ad87bce44d530663950ac287757af808ab483ca54b23ebad3a62e319f6f0915c73b9adce