Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/12/2024, 22:42
Static task
static1
Behavioral task
behavioral1
Sample
66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe
Resource
win7-20240708-en
General
-
Target
66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe
-
Size
96KB
-
MD5
69dfdeca39d9c50c13a487d64817e3e6
-
SHA1
eacdde8c1248aca68d777f9994f2e0a04932c089
-
SHA256
66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641
-
SHA512
ff2b8bb45c5828acbff4e8af00259c4da4d197ea13a364701d5da82b0622fe6b5c2a1afe25ef0cede413252749d4f185d53ac673775397476ada3b90e0157c56
-
SSDEEP
1536:AnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:AGs8cd8eXlYairZYqMddH13r
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2788 omsecor.exe 1764 omsecor.exe 1464 omsecor.exe 2900 omsecor.exe 1944 omsecor.exe 2220 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2716 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 2716 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 2788 omsecor.exe 1764 omsecor.exe 1764 omsecor.exe 2900 omsecor.exe 2900 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2680 set thread context of 2716 2680 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 30 PID 2788 set thread context of 1764 2788 omsecor.exe 32 PID 1464 set thread context of 2900 1464 omsecor.exe 36 PID 1944 set thread context of 2220 1944 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2716 2680 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 30 PID 2680 wrote to memory of 2716 2680 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 30 PID 2680 wrote to memory of 2716 2680 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 30 PID 2680 wrote to memory of 2716 2680 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 30 PID 2680 wrote to memory of 2716 2680 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 30 PID 2680 wrote to memory of 2716 2680 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 30 PID 2716 wrote to memory of 2788 2716 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 31 PID 2716 wrote to memory of 2788 2716 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 31 PID 2716 wrote to memory of 2788 2716 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 31 PID 2716 wrote to memory of 2788 2716 66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe 31 PID 2788 wrote to memory of 1764 2788 omsecor.exe 32 PID 2788 wrote to memory of 1764 2788 omsecor.exe 32 PID 2788 wrote to memory of 1764 2788 omsecor.exe 32 PID 2788 wrote to memory of 1764 2788 omsecor.exe 32 PID 2788 wrote to memory of 1764 2788 omsecor.exe 32 PID 2788 wrote to memory of 1764 2788 omsecor.exe 32 PID 1764 wrote to memory of 1464 1764 omsecor.exe 35 PID 1764 wrote to memory of 1464 1764 omsecor.exe 35 PID 1764 wrote to memory of 1464 1764 omsecor.exe 35 PID 1764 wrote to memory of 1464 1764 omsecor.exe 35 PID 1464 wrote to memory of 2900 1464 omsecor.exe 36 PID 1464 wrote to memory of 2900 1464 omsecor.exe 36 PID 1464 wrote to memory of 2900 1464 omsecor.exe 36 PID 1464 wrote to memory of 2900 1464 omsecor.exe 36 PID 1464 wrote to memory of 2900 1464 omsecor.exe 36 PID 1464 wrote to memory of 2900 1464 omsecor.exe 36 PID 2900 wrote to memory of 1944 2900 omsecor.exe 37 PID 2900 wrote to memory of 1944 2900 omsecor.exe 37 PID 2900 wrote to memory of 1944 2900 omsecor.exe 37 PID 2900 wrote to memory of 1944 2900 omsecor.exe 37 PID 1944 wrote to memory of 2220 1944 omsecor.exe 38 PID 1944 wrote to memory of 2220 1944 omsecor.exe 38 PID 1944 wrote to memory of 2220 1944 omsecor.exe 38 PID 1944 wrote to memory of 2220 1944 omsecor.exe 38 PID 1944 wrote to memory of 2220 1944 omsecor.exe 38 PID 1944 wrote to memory of 2220 1944 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe"C:\Users\Admin\AppData\Local\Temp\66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exeC:\Users\Admin\AppData\Local\Temp\66319b5acaf19922c0f24db2948aed1cd2d6c27bb0b0dbf57dece7dad2bbf641.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2220
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5e66d35e0820cb26ab9823fc37a89c943
SHA171a7b85880061c1a7194b97aed95543e2929cdd4
SHA256c51f5f3451574db95d5da9e5fd0523c9e1c8497b208678d694bcfecdc4b34498
SHA51288dd3bc31c4d6c683e6dc5005e475497a6acbfbac1495b7a0ad9670ba4708c62cb64d683059f9db81f507dcd21979f6f7a286c25de883b989806224987330355
-
Filesize
96KB
MD598693b27d4793944e53fcddcfbbe3089
SHA1b5d8fa55084a09b2d17449203727a99be5915693
SHA2568e9bf20696a86c86eb08b7404aa027e4bd8abafb37f30c412b6b04308358c865
SHA512ad4982417335be89c03beb606acfd8ae54f31e4d982fa8d6ca07c40d2428e022b8a4749c6d054112fdf1246e4a6a921cb0724b8fbf5a157d1ae57f9b5bb21ece
-
Filesize
96KB
MD569faedc7a1ed23ffe5eb647ad1274f65
SHA18d34b84997554004cdc9006667485f426bc3f955
SHA25622ca5b26b7b396883ee287a9c622c25443e0326f704bb483a3ce2d305c8b7272
SHA5124a14f2f3e558cdc0b67b3033537a8bab514af6b4ac161858f9b50537e148b94cff002f0fd4f13db4ce16b06d10e7103de3d7856ead17eea505a651bf9fac7958