Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/01/2025, 00:58
Behavioral task
behavioral1
Sample
94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe
Resource
win7-20241010-en
General
-
Target
94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe
-
Size
80KB
-
MD5
894262470ec2d9f77994e9f2bb2c4aa9
-
SHA1
b8f803e1f56c5c15132414a12cc563459e178013
-
SHA256
94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209
-
SHA512
38eb54f81db4b0c9c84c3f1521ed976306de1ae0815a414fe3a8443aeb51867f52aaa84789fd074a3bb76c50d6163d057d98cd6b1e0a277171e84a55f9f68e98
-
SSDEEP
768:qfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:qfbIvYvZEyFKF6N4yS+AQmZTl/5S
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1428 omsecor.exe 2448 omsecor.exe 3016 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 572 94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe 572 94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe 1428 omsecor.exe 1428 omsecor.exe 2448 omsecor.exe 2448 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 572 wrote to memory of 1428 572 94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe 29 PID 572 wrote to memory of 1428 572 94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe 29 PID 572 wrote to memory of 1428 572 94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe 29 PID 572 wrote to memory of 1428 572 94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe 29 PID 1428 wrote to memory of 2448 1428 omsecor.exe 31 PID 1428 wrote to memory of 2448 1428 omsecor.exe 31 PID 1428 wrote to memory of 2448 1428 omsecor.exe 31 PID 1428 wrote to memory of 2448 1428 omsecor.exe 31 PID 2448 wrote to memory of 3016 2448 omsecor.exe 32 PID 2448 wrote to memory of 3016 2448 omsecor.exe 32 PID 2448 wrote to memory of 3016 2448 omsecor.exe 32 PID 2448 wrote to memory of 3016 2448 omsecor.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe"C:\Users\Admin\AppData\Local\Temp\94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5ffb0f4b86444738207430d8528ef562c
SHA1777c56ca752a12f579aebd23af7167e2a6041a6c
SHA25651e43304828f368a1f432af4b5768229a968663bfa87f3550962f3a3aa838d31
SHA512d275c619a0b3bfef517e287837c0bd49975adf9c969a133f131e963d99601ff18b31c88ead061f6492a7371fff56054cae82748e60bf8d1965a267c9ade168cc
-
Filesize
80KB
MD52588aa549ec9376c08ad8bfa60751ada
SHA1faf51ca3d8152dff6eeda38c50b1b8dcb54d0940
SHA256e43b856bb073d6471caf1f020f55e53c626a24e21284d1f080e32e32298b1fed
SHA5128acb573c30b86af1dcc7475eac8d66303cfc70413492f81bb2c9893e0afce23602f8ecda767680749ca5322aa2dced37ef1aff5896151736cc7cec0eeea13ba9
-
Filesize
80KB
MD5eb4b7c740b46d0d804ac29833f05d463
SHA19bf996ee7896b2dcd0d9415f3192fe6818e3564d
SHA2564f1920bff6f0207a15082c50ff7d525a2279937bd6e595afe9d2aef7685dc423
SHA5120f1e15bc9641ba5b8e14ff509939eca0dd00a669ed477c9c4da582d16f71fdf940c7b9189e2927dda81f7f492e1211e9a7e5248a9c1e372c10c91e368b4bd113