Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/02/2025, 04:25
Behavioral task
behavioral1
Sample
ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe
Resource
win7-20241010-en
General
-
Target
ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe
-
Size
65KB
-
MD5
e079554ae472591cfa93b55e24a35c22
-
SHA1
25b557229676cabfce708cd879fea2ddb87e7ed7
-
SHA256
ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245
-
SHA512
c894860f4443486f6ea086bab4f0d13f20823228dfbe560a9fb409c575d1afff12ae42112078567aed450785b31f223e6d9ec7a85daaf626b0d02f5c7d54509c
-
SSDEEP
1536:md9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzF:edseIO+EZEyFjEOFqTiQmRHzF
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2888 omsecor.exe 2976 omsecor.exe 3008 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 3064 ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe 3064 ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe 2888 omsecor.exe 2888 omsecor.exe 2976 omsecor.exe 2976 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2888 3064 ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe 30 PID 3064 wrote to memory of 2888 3064 ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe 30 PID 3064 wrote to memory of 2888 3064 ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe 30 PID 3064 wrote to memory of 2888 3064 ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe 30 PID 2888 wrote to memory of 2976 2888 omsecor.exe 33 PID 2888 wrote to memory of 2976 2888 omsecor.exe 33 PID 2888 wrote to memory of 2976 2888 omsecor.exe 33 PID 2888 wrote to memory of 2976 2888 omsecor.exe 33 PID 2976 wrote to memory of 3008 2976 omsecor.exe 34 PID 2976 wrote to memory of 3008 2976 omsecor.exe 34 PID 2976 wrote to memory of 3008 2976 omsecor.exe 34 PID 2976 wrote to memory of 3008 2976 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe"C:\Users\Admin\AppData\Local\Temp\ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ef881d20ff4bce9fa93c60f50ee93efb
SHA1bb600a25a6a577706867a30764a516f2aad80585
SHA2566cf0d5bfdc75404b3b5bf4b3c965af1c727ef8fb51a70f539c4b298d56b6810b
SHA5125a79ce8848c626f636897f33320ecd6875dd17f1c54ab02a9ad43db0b6ffb353af455543eba879b3d545fb3b80375456664fc7a429c93f6ab01c514f6ea72961
-
Filesize
65KB
MD5864e8c7d0f594659d80eb328f05bb986
SHA1b587000e44a85a86d7d395c86c19a9b0e7b17eda
SHA256dd9cd61f2636c681ce9e705f27472090c7e28ff0b6dde346b812417d3d90ddcf
SHA51246ddac90513ccfba5242403f848a63db4001dfa50b5df46019b794ab655007a111313c0aaf21e77f3866110ce7eed704ea426a5ace7e4616b75174bb220c821e
-
Filesize
65KB
MD576dc9ae69375d0c4fd5063b96745a420
SHA13bcba33919f515b3c92e954844b00b893b8f75e2
SHA25667c58b2d0b3d23cdb758efeb81e5fad0775dee9edd4c2f6dd012383748a70bf6
SHA5129c672f978b7e414c70daf6d7dd2f02ac75826755c6b92846bdb9c0e89af935928beaab40bd77d7063b6af51aa54119bd179c59d94fe38209f49df7aecb8ef8c5