Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16/12/2024, 17:34
Static task
static1
Behavioral task
behavioral1
Sample
be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe
Resource
win7-20241010-en
General
-
Target
be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe
-
Size
96KB
-
MD5
71d0aa24a8cba1e3a97e5becbaeb7f10
-
SHA1
48ef9b13d087d475e83b8a40c5eb939283117236
-
SHA256
be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7
-
SHA512
d0e46186a50abcce9392da20db2597c04ee3b47140c9c209e332ffac754896e76a2cb6c00882e53dc4b99d1e235d86a2e6d08efa11f750bb01e550b9460a80bb
-
SSDEEP
1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:0Gs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2476 omsecor.exe 2936 omsecor.exe 3012 omsecor.exe 2352 omsecor.exe 1836 omsecor.exe 2108 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2300 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 2300 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 2476 omsecor.exe 2936 omsecor.exe 2936 omsecor.exe 2352 omsecor.exe 2352 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1996 set thread context of 2300 1996 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 29 PID 2476 set thread context of 2936 2476 omsecor.exe 31 PID 3012 set thread context of 2352 3012 omsecor.exe 34 PID 1836 set thread context of 2108 1836 omsecor.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2300 1996 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 29 PID 1996 wrote to memory of 2300 1996 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 29 PID 1996 wrote to memory of 2300 1996 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 29 PID 1996 wrote to memory of 2300 1996 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 29 PID 1996 wrote to memory of 2300 1996 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 29 PID 1996 wrote to memory of 2300 1996 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 29 PID 2300 wrote to memory of 2476 2300 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 30 PID 2300 wrote to memory of 2476 2300 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 30 PID 2300 wrote to memory of 2476 2300 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 30 PID 2300 wrote to memory of 2476 2300 be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe 30 PID 2476 wrote to memory of 2936 2476 omsecor.exe 31 PID 2476 wrote to memory of 2936 2476 omsecor.exe 31 PID 2476 wrote to memory of 2936 2476 omsecor.exe 31 PID 2476 wrote to memory of 2936 2476 omsecor.exe 31 PID 2476 wrote to memory of 2936 2476 omsecor.exe 31 PID 2476 wrote to memory of 2936 2476 omsecor.exe 31 PID 2936 wrote to memory of 3012 2936 omsecor.exe 33 PID 2936 wrote to memory of 3012 2936 omsecor.exe 33 PID 2936 wrote to memory of 3012 2936 omsecor.exe 33 PID 2936 wrote to memory of 3012 2936 omsecor.exe 33 PID 3012 wrote to memory of 2352 3012 omsecor.exe 34 PID 3012 wrote to memory of 2352 3012 omsecor.exe 34 PID 3012 wrote to memory of 2352 3012 omsecor.exe 34 PID 3012 wrote to memory of 2352 3012 omsecor.exe 34 PID 3012 wrote to memory of 2352 3012 omsecor.exe 34 PID 3012 wrote to memory of 2352 3012 omsecor.exe 34 PID 2352 wrote to memory of 1836 2352 omsecor.exe 35 PID 2352 wrote to memory of 1836 2352 omsecor.exe 35 PID 2352 wrote to memory of 1836 2352 omsecor.exe 35 PID 2352 wrote to memory of 1836 2352 omsecor.exe 35 PID 1836 wrote to memory of 2108 1836 omsecor.exe 36 PID 1836 wrote to memory of 2108 1836 omsecor.exe 36 PID 1836 wrote to memory of 2108 1836 omsecor.exe 36 PID 1836 wrote to memory of 2108 1836 omsecor.exe 36 PID 1836 wrote to memory of 2108 1836 omsecor.exe 36 PID 1836 wrote to memory of 2108 1836 omsecor.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe"C:\Users\Admin\AppData\Local\Temp\be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exeC:\Users\Admin\AppData\Local\Temp\be03c0941ff7e34645b4de85173550e6290d96d7de1004840b4a5e8233cf07e7N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5d43ac77cccdab3a8b2da27d4bd874ffa
SHA13ec336ef729af67a469b8fd182e2318d03c4099b
SHA2568bbf974f9e91d3fbfd6c31e989ec19a750b9e868394ffa428034ec3727a001e4
SHA512ee7b0714cb8942d55fd8d484f95dc83f90c1462faf2ac5e5484f8505acdfa5916591645ecb54cd979a1d1950871a6fec67005891129f4189e3ce83cb830059fd
-
Filesize
96KB
MD5e022015098550d244e056595a94f6dc3
SHA18ee35f93ec8972e3be3a1b73fe776518e2b01a63
SHA256aff48614c0d0fa5348833bd6fa7508d10a8311193450ac547887bab41f9afff0
SHA512ba1aa41a870d80ee60d7eeb43e5ebdf973795be67c288161e6dbc78776fc720112b217fb3e4a635d1eb09ad4ec9c8d8eb37aeb981cdb25d8c6b537904f88d250
-
Filesize
96KB
MD560efd0d35fcb3b778f56f8077e3514f0
SHA1aed4635fdaa0dd314538b2891269076ac10c51ae
SHA256877f3ff111b6e0dfd4e9623c76e58f6f91280baf2836b7a2476d9aa2420f4cea
SHA51213bfac36a96bd86a72bbb0e2093df71ea9a413d83a5acfeaecc0de393dd41db29b7b3344d3b280d903dd28de290ded8d15b760c78d3603846d9c5c5f22114c41