Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 00:21
Static task
static1
Behavioral task
behavioral1
Sample
6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe
Resource
win7-20241010-en
General
-
Target
6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe
-
Size
96KB
-
MD5
45ec69aea194e3c952bf2bb1e2831a13
-
SHA1
23700639bd45852d86460434e69b1d73331c07f1
-
SHA256
6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95
-
SHA512
e66ffcbaf83a8966e08dd3e2e0727caeac1df91b220841fb40a72a36dc538a28c79a45010582e7c31f62c7bcb078a347587396be8aa11b818ff1ef4d5b9e1920
-
SSDEEP
1536:BnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:BGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2952 omsecor.exe 2980 omsecor.exe 2820 omsecor.exe 1056 omsecor.exe 2280 omsecor.exe 2080 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2456 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 2456 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 2952 omsecor.exe 2980 omsecor.exe 2980 omsecor.exe 1056 omsecor.exe 1056 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2460 set thread context of 2456 2460 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 29 PID 2952 set thread context of 2980 2952 omsecor.exe 31 PID 2820 set thread context of 1056 2820 omsecor.exe 34 PID 2280 set thread context of 2080 2280 omsecor.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2456 2460 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 29 PID 2460 wrote to memory of 2456 2460 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 29 PID 2460 wrote to memory of 2456 2460 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 29 PID 2460 wrote to memory of 2456 2460 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 29 PID 2460 wrote to memory of 2456 2460 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 29 PID 2460 wrote to memory of 2456 2460 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 29 PID 2456 wrote to memory of 2952 2456 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 30 PID 2456 wrote to memory of 2952 2456 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 30 PID 2456 wrote to memory of 2952 2456 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 30 PID 2456 wrote to memory of 2952 2456 6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe 30 PID 2952 wrote to memory of 2980 2952 omsecor.exe 31 PID 2952 wrote to memory of 2980 2952 omsecor.exe 31 PID 2952 wrote to memory of 2980 2952 omsecor.exe 31 PID 2952 wrote to memory of 2980 2952 omsecor.exe 31 PID 2952 wrote to memory of 2980 2952 omsecor.exe 31 PID 2952 wrote to memory of 2980 2952 omsecor.exe 31 PID 2980 wrote to memory of 2820 2980 omsecor.exe 33 PID 2980 wrote to memory of 2820 2980 omsecor.exe 33 PID 2980 wrote to memory of 2820 2980 omsecor.exe 33 PID 2980 wrote to memory of 2820 2980 omsecor.exe 33 PID 2820 wrote to memory of 1056 2820 omsecor.exe 34 PID 2820 wrote to memory of 1056 2820 omsecor.exe 34 PID 2820 wrote to memory of 1056 2820 omsecor.exe 34 PID 2820 wrote to memory of 1056 2820 omsecor.exe 34 PID 2820 wrote to memory of 1056 2820 omsecor.exe 34 PID 2820 wrote to memory of 1056 2820 omsecor.exe 34 PID 1056 wrote to memory of 2280 1056 omsecor.exe 35 PID 1056 wrote to memory of 2280 1056 omsecor.exe 35 PID 1056 wrote to memory of 2280 1056 omsecor.exe 35 PID 1056 wrote to memory of 2280 1056 omsecor.exe 35 PID 2280 wrote to memory of 2080 2280 omsecor.exe 36 PID 2280 wrote to memory of 2080 2280 omsecor.exe 36 PID 2280 wrote to memory of 2080 2280 omsecor.exe 36 PID 2280 wrote to memory of 2080 2280 omsecor.exe 36 PID 2280 wrote to memory of 2080 2280 omsecor.exe 36 PID 2280 wrote to memory of 2080 2280 omsecor.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe"C:\Users\Admin\AppData\Local\Temp\6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exeC:\Users\Admin\AppData\Local\Temp\6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5ef41a2c1ab05878bea1e18732ad0d88c
SHA1b0f264b072b0dfc69cc3fb3117c0dfe20546d253
SHA2564aa7d5c1f3b38284fd3f925de9595358cbc24e5c75c4f49c40c13eb8b92314c7
SHA512a945f005f985be3b24b9b6b81cabe77d42ccd586e8c1c5b2e12919b2c17e487295afeed19c2bf2005f4fae90deea3f6f25e7ad1c8a5efe66e3154e7fb0ba3ae8
-
Filesize
96KB
MD588d6414aa6867b7da027e3496160fb7d
SHA11bdfb04b9178812578e1a517decf66f27da75494
SHA256c68d95abba7ae2eacf469ff26cec3fb637fa592aa94187ac2b995f657ef5777d
SHA512a3ac2e5be84a41f5d76c9514b23dc615c0d0e13df252ecd7e6354d20530768f9ed49b255895ae6df584f83f14cfae540587b528522f084cb2b1662d92be3c577
-
Filesize
96KB
MD5e1d746fb699b33c99873c65e18a65d8d
SHA179220c955d97700d0c1db6fdcc7145a38dba01ce
SHA256002cf81354e867f108af8bad8ecfc1405c9d49feb56a36438f10e97a20d9652e
SHA51257355bf326db4dfedc07a61eb34e5771f49f070740388de44d6154bf322e0ad5fa012b467103a08a9194efdd889301665dc8014b08f3f7828a99ed12e739b0c3