Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/12/2024, 20:00
Static task
static1
Behavioral task
behavioral1
Sample
19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
Resource
win7-20241010-en
General
-
Target
19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
-
Size
96KB
-
MD5
04b6069c77fed76c7be2a0c8e8f5d31c
-
SHA1
1154753584936c70bb37eeab1d8b8ec6aeed1721
-
SHA256
19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33
-
SHA512
91fe0dcb515cb04e0a829c25cddf10e15491f64fc419bfa45ffbac1402f5779926720cadb7629808990c1f16d36b3f257034d9d832c31cf3274d3be10e2385c0
-
SSDEEP
1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxO:jGs8cd8eXlYairZYqMddH13O
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 1632 omsecor.exe 2952 omsecor.exe 2132 omsecor.exe 2036 omsecor.exe 908 omsecor.exe 2464 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2572 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 2572 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 1632 omsecor.exe 2952 omsecor.exe 2952 omsecor.exe 2036 omsecor.exe 2036 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2340 set thread context of 2572 2340 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 29 PID 1632 set thread context of 2952 1632 omsecor.exe 31 PID 2132 set thread context of 2036 2132 omsecor.exe 34 PID 908 set thread context of 2464 908 omsecor.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2572 2340 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 29 PID 2340 wrote to memory of 2572 2340 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 29 PID 2340 wrote to memory of 2572 2340 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 29 PID 2340 wrote to memory of 2572 2340 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 29 PID 2340 wrote to memory of 2572 2340 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 29 PID 2340 wrote to memory of 2572 2340 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 29 PID 2572 wrote to memory of 1632 2572 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 30 PID 2572 wrote to memory of 1632 2572 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 30 PID 2572 wrote to memory of 1632 2572 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 30 PID 2572 wrote to memory of 1632 2572 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe 30 PID 1632 wrote to memory of 2952 1632 omsecor.exe 31 PID 1632 wrote to memory of 2952 1632 omsecor.exe 31 PID 1632 wrote to memory of 2952 1632 omsecor.exe 31 PID 1632 wrote to memory of 2952 1632 omsecor.exe 31 PID 1632 wrote to memory of 2952 1632 omsecor.exe 31 PID 1632 wrote to memory of 2952 1632 omsecor.exe 31 PID 2952 wrote to memory of 2132 2952 omsecor.exe 33 PID 2952 wrote to memory of 2132 2952 omsecor.exe 33 PID 2952 wrote to memory of 2132 2952 omsecor.exe 33 PID 2952 wrote to memory of 2132 2952 omsecor.exe 33 PID 2132 wrote to memory of 2036 2132 omsecor.exe 34 PID 2132 wrote to memory of 2036 2132 omsecor.exe 34 PID 2132 wrote to memory of 2036 2132 omsecor.exe 34 PID 2132 wrote to memory of 2036 2132 omsecor.exe 34 PID 2132 wrote to memory of 2036 2132 omsecor.exe 34 PID 2132 wrote to memory of 2036 2132 omsecor.exe 34 PID 2036 wrote to memory of 908 2036 omsecor.exe 35 PID 2036 wrote to memory of 908 2036 omsecor.exe 35 PID 2036 wrote to memory of 908 2036 omsecor.exe 35 PID 2036 wrote to memory of 908 2036 omsecor.exe 35 PID 908 wrote to memory of 2464 908 omsecor.exe 36 PID 908 wrote to memory of 2464 908 omsecor.exe 36 PID 908 wrote to memory of 2464 908 omsecor.exe 36 PID 908 wrote to memory of 2464 908 omsecor.exe 36 PID 908 wrote to memory of 2464 908 omsecor.exe 36 PID 908 wrote to memory of 2464 908 omsecor.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe"C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exeC:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5e678be7f39536f4d6a8aec90c0b1b247
SHA16de6975a9b87a1f566afbb15eed1e6d9462e4629
SHA256805a77fb8e6f5b0cb0df4f89649224aacb937a9178be576a27553d6558f88ca2
SHA51217eea96040be28e169869b3be0c81d65eec32d14c0c0645ca1574ee9e3b74f5cc79b7987b2234e399dec0514a8d1ed5f54c84e741488e72e243609e4f75321f2
-
Filesize
96KB
MD5c746ce0ecb66b122a0dd555e7c0d3c31
SHA12d4edf0e01816a46d20cc9c9e2b2fefce29f1850
SHA256e7e14458cba80e180d5257529ffa410d2903a25c353a04041abae94a6b48c075
SHA512647410e543329848cb63faaba3b7b4159922649dfd575b8da2c6e82be72026a74ad4b0133d62a62702b46c1dd9b89de169d1ae67dfe0e8a19222f9f4f369de6e
-
Filesize
96KB
MD5181c75c279be34b4d35a1b2074881ad3
SHA17176eea8f16a41f09473b8e1d791a166a967874d
SHA256c1b25d2c2bba74769493173f4a50591385f1ce0fac4dc6b7b9bf32d46ad8739e
SHA512039a488a47617f90a6b05c88ac515216653c4eef4c19698c273b339ef504d5ccf7ae5b11a0960d35462680e1fbf1ceedb93c8bf286aed9e49749bee46479b525