Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/01/2025, 04:51
Behavioral task
behavioral1
Sample
eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe
Resource
win7-20240708-en
General
-
Target
eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe
-
Size
88KB
-
MD5
ba22eee6c9fb329301817a2ecc56e943
-
SHA1
bdd2a764fcbf8c16671c4997be14c013fb30f5be
-
SHA256
eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827
-
SHA512
73e46feb3babfae0ff107fe83f23ee9dfc013e74327df61f20c596f820d6568013343c4db07ffa77716d79102e6420af1756a172c8938f3caedd6e7b0975634a
-
SSDEEP
1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5Z:2dseIOMEZEyFjEOFqTiQm5l/5Z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2216 omsecor.exe 984 omsecor.exe 2708 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2180 eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe 2180 eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe 2216 omsecor.exe 2216 omsecor.exe 984 omsecor.exe 984 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2216 2180 eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe 30 PID 2180 wrote to memory of 2216 2180 eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe 30 PID 2180 wrote to memory of 2216 2180 eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe 30 PID 2180 wrote to memory of 2216 2180 eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe 30 PID 2216 wrote to memory of 984 2216 omsecor.exe 33 PID 2216 wrote to memory of 984 2216 omsecor.exe 33 PID 2216 wrote to memory of 984 2216 omsecor.exe 33 PID 2216 wrote to memory of 984 2216 omsecor.exe 33 PID 984 wrote to memory of 2708 984 omsecor.exe 34 PID 984 wrote to memory of 2708 984 omsecor.exe 34 PID 984 wrote to memory of 2708 984 omsecor.exe 34 PID 984 wrote to memory of 2708 984 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe"C:\Users\Admin\AppData\Local\Temp\eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5daf5883ff36c6070c70c2325e4979aef
SHA11c52885a8a0ac5e145f50a9c934f97a69e981c52
SHA25605f91406cb47d7d77198e598b71b254a074c79d20dfd2184efa566eb4116a272
SHA5126ffbc858b36ff5b65b6defb55d7677ad1b9355a0e6f6599c4d7aec6da665631aa272c7f31b6c1402efd8d4d3b212e53fae9392127bec6db5b24112aed1824a0e
-
Filesize
88KB
MD58f5453a775864fa7714ca82526218077
SHA101f609b318c40083bc700d54f3298b6dd9996771
SHA256de627601e0045a39e1455f7f8888875c1b15d2ec210aec7605b0fc35a26b4933
SHA5122be67f7132f928f86444e05b14d15072a6ecd6761b3ff538836d51a8178b683edd14c0a9b1257254927ac0f3c3d80c0547ad071689f289c57af8ab1992492c7d
-
Filesize
88KB
MD530b451959777e513d94e32450b5deb33
SHA186f1b0293a5fdbdb2fddee5ec94a90c63292cf95
SHA256b345909d70df443fda0627667e5ac91049069b3b58cde89f846d3fc406ab02ac
SHA5128310df3b510968fb46112332d4984a02f9f9fc1e0d7b8a3e0c3135c494a7020e43b09c2ab2e9c3f4a314ed385532798c0cfba98bc1b334fa49f70c30215a1e22