Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 01:28
Static task
static1
Behavioral task
behavioral1
Sample
cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe
Resource
win7-20240903-en
General
-
Target
cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe
-
Size
96KB
-
MD5
fc3379caa1dd355cac67ab889cf00be0
-
SHA1
08aa2dffa11f6f08947eceb663a5b86e7e33c851
-
SHA256
cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6e
-
SHA512
3f4427d91c4e9e0c41026a2f30b14c9aab26d109f9a49cd94814de2b512b1a25dda97ff7d02d09ddc24f4b36c94a170283f47ce6eebfc342dbce9a88b6d3e2b5
-
SSDEEP
1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:zGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2180 omsecor.exe 2268 omsecor.exe 2672 omsecor.exe 1152 omsecor.exe 1512 omsecor.exe 2152 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 1916 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 1916 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 2180 omsecor.exe 2268 omsecor.exe 2268 omsecor.exe 1152 omsecor.exe 1152 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2504 set thread context of 1916 2504 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 30 PID 2180 set thread context of 2268 2180 omsecor.exe 32 PID 2672 set thread context of 1152 2672 omsecor.exe 36 PID 1512 set thread context of 2152 1512 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2504 wrote to memory of 1916 2504 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 30 PID 2504 wrote to memory of 1916 2504 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 30 PID 2504 wrote to memory of 1916 2504 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 30 PID 2504 wrote to memory of 1916 2504 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 30 PID 2504 wrote to memory of 1916 2504 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 30 PID 2504 wrote to memory of 1916 2504 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 30 PID 1916 wrote to memory of 2180 1916 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 31 PID 1916 wrote to memory of 2180 1916 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 31 PID 1916 wrote to memory of 2180 1916 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 31 PID 1916 wrote to memory of 2180 1916 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 31 PID 2180 wrote to memory of 2268 2180 omsecor.exe 32 PID 2180 wrote to memory of 2268 2180 omsecor.exe 32 PID 2180 wrote to memory of 2268 2180 omsecor.exe 32 PID 2180 wrote to memory of 2268 2180 omsecor.exe 32 PID 2180 wrote to memory of 2268 2180 omsecor.exe 32 PID 2180 wrote to memory of 2268 2180 omsecor.exe 32 PID 2268 wrote to memory of 2672 2268 omsecor.exe 35 PID 2268 wrote to memory of 2672 2268 omsecor.exe 35 PID 2268 wrote to memory of 2672 2268 omsecor.exe 35 PID 2268 wrote to memory of 2672 2268 omsecor.exe 35 PID 2672 wrote to memory of 1152 2672 omsecor.exe 36 PID 2672 wrote to memory of 1152 2672 omsecor.exe 36 PID 2672 wrote to memory of 1152 2672 omsecor.exe 36 PID 2672 wrote to memory of 1152 2672 omsecor.exe 36 PID 2672 wrote to memory of 1152 2672 omsecor.exe 36 PID 2672 wrote to memory of 1152 2672 omsecor.exe 36 PID 1152 wrote to memory of 1512 1152 omsecor.exe 37 PID 1152 wrote to memory of 1512 1152 omsecor.exe 37 PID 1152 wrote to memory of 1512 1152 omsecor.exe 37 PID 1152 wrote to memory of 1512 1152 omsecor.exe 37 PID 1512 wrote to memory of 2152 1512 omsecor.exe 38 PID 1512 wrote to memory of 2152 1512 omsecor.exe 38 PID 1512 wrote to memory of 2152 1512 omsecor.exe 38 PID 1512 wrote to memory of 2152 1512 omsecor.exe 38 PID 1512 wrote to memory of 2152 1512 omsecor.exe 38 PID 1512 wrote to memory of 2152 1512 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe"C:\Users\Admin\AppData\Local\Temp\cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exeC:\Users\Admin\AppData\Local\Temp\cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5071eb921cf74bc413480e0c95069a0b5
SHA1651fe962179b21a41fe2464255399df04d4e3f92
SHA256c748422eb6d5fbd179608e9291527b476f88811eea23b696beffe3c0b504c90f
SHA5124e59561b2bf2af93ecb7495d01a03f4484fbf18e8c92cd9463e3054cf334cf9e6b3173aca8c677294b14c16904eed737bdd5d31784c463df0ee527d579b92b6d
-
Filesize
96KB
MD59c829acddbe710fa9790351ae009c8e4
SHA1b6813f826cc9543b86eb1487a463daa76a17c741
SHA256a39c4425f2431ea8c01762b917a777425b969639f741a2f4f36467b9bc1a3b90
SHA51227d77bcccabd2ff0ddbb2b95180b2b16b1a33d604af141eaab7690ab993ee54eb2b70c33b3c70a0ebfaf2a5e899f660e830bb029ca0976fddaf18282e99cf5bb
-
Filesize
96KB
MD50ac8e88b3f07a962f1c1cc74b467db54
SHA1bfc5080b1d083f23ee0c8c54c86461d3e7fa3c84
SHA2561d69537452e773f6fe334e8f1057ee6c565202b9d7fb7c0775d21083ddf2602f
SHA51264766e44cef7e7d565dec7a2a897623685342e49e6228fdb5bfa16c45cb1a51aa9de04de83511cbe064df551ae735ebb68343b29f6777d99d189cced4e1526bc