Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/12/2024, 02:06
Static task
static1
Behavioral task
behavioral1
Sample
b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe
Resource
win7-20240903-en
General
-
Target
b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe
-
Size
134KB
-
MD5
b94b47d7d5e2f2ebfe6016e80093b3ca
-
SHA1
a6710d18bc197b67b0f43e9f1781ac52ff263466
-
SHA256
b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d
-
SHA512
3e13700b76190934efacde18628621d6438bcb249b54c214fd14606785357018e8a12a57438602357034b4bb59d4b992184e9306238ce805382ced26ae990efc
-
SSDEEP
1536:qDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:MiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2304 omsecor.exe 1792 omsecor.exe 1784 omsecor.exe 2060 omsecor.exe 1544 omsecor.exe 2660 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 1988 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 1988 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 2304 omsecor.exe 1792 omsecor.exe 1792 omsecor.exe 2060 omsecor.exe 2060 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2084 set thread context of 1988 2084 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 31 PID 2304 set thread context of 1792 2304 omsecor.exe 33 PID 1784 set thread context of 2060 1784 omsecor.exe 36 PID 1544 set thread context of 2660 1544 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2084 wrote to memory of 1988 2084 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 31 PID 2084 wrote to memory of 1988 2084 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 31 PID 2084 wrote to memory of 1988 2084 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 31 PID 2084 wrote to memory of 1988 2084 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 31 PID 2084 wrote to memory of 1988 2084 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 31 PID 2084 wrote to memory of 1988 2084 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 31 PID 1988 wrote to memory of 2304 1988 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 32 PID 1988 wrote to memory of 2304 1988 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 32 PID 1988 wrote to memory of 2304 1988 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 32 PID 1988 wrote to memory of 2304 1988 b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe 32 PID 2304 wrote to memory of 1792 2304 omsecor.exe 33 PID 2304 wrote to memory of 1792 2304 omsecor.exe 33 PID 2304 wrote to memory of 1792 2304 omsecor.exe 33 PID 2304 wrote to memory of 1792 2304 omsecor.exe 33 PID 2304 wrote to memory of 1792 2304 omsecor.exe 33 PID 2304 wrote to memory of 1792 2304 omsecor.exe 33 PID 1792 wrote to memory of 1784 1792 omsecor.exe 35 PID 1792 wrote to memory of 1784 1792 omsecor.exe 35 PID 1792 wrote to memory of 1784 1792 omsecor.exe 35 PID 1792 wrote to memory of 1784 1792 omsecor.exe 35 PID 1784 wrote to memory of 2060 1784 omsecor.exe 36 PID 1784 wrote to memory of 2060 1784 omsecor.exe 36 PID 1784 wrote to memory of 2060 1784 omsecor.exe 36 PID 1784 wrote to memory of 2060 1784 omsecor.exe 36 PID 1784 wrote to memory of 2060 1784 omsecor.exe 36 PID 1784 wrote to memory of 2060 1784 omsecor.exe 36 PID 2060 wrote to memory of 1544 2060 omsecor.exe 37 PID 2060 wrote to memory of 1544 2060 omsecor.exe 37 PID 2060 wrote to memory of 1544 2060 omsecor.exe 37 PID 2060 wrote to memory of 1544 2060 omsecor.exe 37 PID 1544 wrote to memory of 2660 1544 omsecor.exe 38 PID 1544 wrote to memory of 2660 1544 omsecor.exe 38 PID 1544 wrote to memory of 2660 1544 omsecor.exe 38 PID 1544 wrote to memory of 2660 1544 omsecor.exe 38 PID 1544 wrote to memory of 2660 1544 omsecor.exe 38 PID 1544 wrote to memory of 2660 1544 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe"C:\Users\Admin\AppData\Local\Temp\b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exeC:\Users\Admin\AppData\Local\Temp\b1eb0786518247adf3e6e612ea69e7677036d4004b61496680626e058e495a2d.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5e23920203856afadcb9d673c4e798a11
SHA10dbb4ef848104324903578c0cda156c79ad7aa57
SHA256c15af5504c71a3b7e787e098871303c1b0458a298465cfe7a7cd97b7fec1a6e5
SHA5128d55033484381a0390e9bcfc216bd516f1b4fd4b70f7296e776819144738fe6a969479e232e286b126720f03a0428a88c570a2dfd13cc379bdb6b5ddd432842d
-
Filesize
134KB
MD549a68460d7fd5ee29cbf699f2284316d
SHA1aaafdea4362b927cdfb719f8da57267d079caa3d
SHA2567ed69487cbf8e0478c8d4bd9690fd89ab88310c50b7d4c133a0efbaeeb59f580
SHA512818f8f1462ebe001fcd92d84d78ec59f70f539fee9581c433399aa002b4d1aff49cbb4b3195029438accc8719e5ef42eb1168eff3d13e4eec6d4a19505dee0f7
-
Filesize
134KB
MD5ee0271f7abc380109206a64454a57df4
SHA1409f209d3369b6a4370c147b101c5011f5b2a451
SHA2563da57c9f50cc96fa55512fc7ec1817549600d2f4071e3097c29a683f8b3c5b68
SHA512d5eeabbfd895b21e21da8345bbbc75865da188c880f9637ea0dcbd8ffc4899732670b314a4e2d2d76879d6a1cf24053303a66af490c38e1df63fbd6d40c41739