Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/12/2024, 06:37
Static task
static1
Behavioral task
behavioral1
Sample
15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
Resource
win7-20240903-en
General
-
Target
15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
-
Size
96KB
-
MD5
6a80607d407893f9d45f48c152454f10
-
SHA1
977bc4c2f53cd5009d7945a1aaefd40109cf4cdc
-
SHA256
15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29
-
SHA512
3c7f553b0037820a70dacfeb6b1f33dea8db544e65b98b61bd94cf116bba90fc150563458795fe99440aeeb61d8f8bca8291de215d94c429f534ae24c6ea2029
-
SSDEEP
1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:DGs8cd8eXlYairZYqMddH137
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2720 omsecor.exe 840 omsecor.exe 588 omsecor.exe 2028 omsecor.exe 2376 omsecor.exe 1876 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2668 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 2668 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 2720 omsecor.exe 840 omsecor.exe 840 omsecor.exe 2028 omsecor.exe 2028 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2700 set thread context of 2668 2700 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 30 PID 2720 set thread context of 840 2720 omsecor.exe 32 PID 588 set thread context of 2028 588 omsecor.exe 35 PID 2376 set thread context of 1876 2376 omsecor.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2668 2700 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 30 PID 2700 wrote to memory of 2668 2700 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 30 PID 2700 wrote to memory of 2668 2700 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 30 PID 2700 wrote to memory of 2668 2700 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 30 PID 2700 wrote to memory of 2668 2700 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 30 PID 2700 wrote to memory of 2668 2700 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 30 PID 2668 wrote to memory of 2720 2668 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 31 PID 2668 wrote to memory of 2720 2668 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 31 PID 2668 wrote to memory of 2720 2668 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 31 PID 2668 wrote to memory of 2720 2668 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe 31 PID 2720 wrote to memory of 840 2720 omsecor.exe 32 PID 2720 wrote to memory of 840 2720 omsecor.exe 32 PID 2720 wrote to memory of 840 2720 omsecor.exe 32 PID 2720 wrote to memory of 840 2720 omsecor.exe 32 PID 2720 wrote to memory of 840 2720 omsecor.exe 32 PID 2720 wrote to memory of 840 2720 omsecor.exe 32 PID 840 wrote to memory of 588 840 omsecor.exe 34 PID 840 wrote to memory of 588 840 omsecor.exe 34 PID 840 wrote to memory of 588 840 omsecor.exe 34 PID 840 wrote to memory of 588 840 omsecor.exe 34 PID 588 wrote to memory of 2028 588 omsecor.exe 35 PID 588 wrote to memory of 2028 588 omsecor.exe 35 PID 588 wrote to memory of 2028 588 omsecor.exe 35 PID 588 wrote to memory of 2028 588 omsecor.exe 35 PID 588 wrote to memory of 2028 588 omsecor.exe 35 PID 588 wrote to memory of 2028 588 omsecor.exe 35 PID 2028 wrote to memory of 2376 2028 omsecor.exe 36 PID 2028 wrote to memory of 2376 2028 omsecor.exe 36 PID 2028 wrote to memory of 2376 2028 omsecor.exe 36 PID 2028 wrote to memory of 2376 2028 omsecor.exe 36 PID 2376 wrote to memory of 1876 2376 omsecor.exe 37 PID 2376 wrote to memory of 1876 2376 omsecor.exe 37 PID 2376 wrote to memory of 1876 2376 omsecor.exe 37 PID 2376 wrote to memory of 1876 2376 omsecor.exe 37 PID 2376 wrote to memory of 1876 2376 omsecor.exe 37 PID 2376 wrote to memory of 1876 2376 omsecor.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe"C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exeC:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1876
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5198c00fc46538ca3f409fd37368211a6
SHA1d565e298687d7a4a9468082beeccba2779cc8f7e
SHA256e42df9a6c8cb6082776f191859b485ca31ef2e24170376f92bdf2f0fd8ea0c5e
SHA51230b156b5aebee9b9a26656f0b4026ce8071493874d7f40e1423c4ca5b0c86e4152af2658131411a871af1f9615a842a0b636bb359625be0fd600faa20dc33d0e
-
Filesize
96KB
MD53484eff81a3fc078221d9f56526d3f79
SHA181765fcac7719beba61c65deca4a3b221223e8e2
SHA25617d67155a203f9e4e0fea65bd5455e5cd8420d77452ae4962c646e6c64a9360a
SHA51236d60fb3604240663caa57b99f9f476f9ca1e4b6aff595e50bac0712720dd57ef647b3811d816593acb262de7665d809908c0053df466f60161fb9b85f1a4309
-
Filesize
96KB
MD5d4ee9876f640c7a95cefa92eb56d26e3
SHA1b66266b87f5a343d26f06ec575a0ff5d91227f36
SHA2568560b9b2dd5d989be18a4152d3b844e440f5571386920c1ba5148cdf748ca1cc
SHA512f3f724e53670c2ac9637589115a8633fcbb8e4895fe33327c925fa4626153e9c0812edfced7b4027605730af2f983d544801f870e05b35342c6a31a10515409d