Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/01/2025, 22:45
Static task
static1
Behavioral task
behavioral1
Sample
33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
Resource
win7-20240729-en
General
-
Target
33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
-
Size
96KB
-
MD5
8cf5d2de5a442b238701e0c509d5dbed
-
SHA1
5621535b5949f5ab0b93de04939da73d4efb3720
-
SHA256
33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b
-
SHA512
aec251a989d46f3cb7949574b0c46dce0ca003bab515c8b5cae44442411f0deb5d857ebe3a754439ef4aec15287c9367467c799fbeeb01a6216a58e4cbdba35c
-
SSDEEP
1536:7nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:7Gs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2552 omsecor.exe 2876 omsecor.exe 1964 omsecor.exe 2812 omsecor.exe 1428 omsecor.exe 2936 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 3016 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 3016 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 2552 omsecor.exe 2876 omsecor.exe 2876 omsecor.exe 2812 omsecor.exe 2812 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1164 set thread context of 3016 1164 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 29 PID 2552 set thread context of 2876 2552 omsecor.exe 31 PID 1964 set thread context of 2812 1964 omsecor.exe 34 PID 1428 set thread context of 2936 1428 omsecor.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1164 wrote to memory of 3016 1164 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 29 PID 1164 wrote to memory of 3016 1164 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 29 PID 1164 wrote to memory of 3016 1164 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 29 PID 1164 wrote to memory of 3016 1164 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 29 PID 1164 wrote to memory of 3016 1164 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 29 PID 1164 wrote to memory of 3016 1164 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 29 PID 3016 wrote to memory of 2552 3016 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 3016 wrote to memory of 2552 3016 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 3016 wrote to memory of 2552 3016 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 3016 wrote to memory of 2552 3016 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 2552 wrote to memory of 2876 2552 omsecor.exe 31 PID 2552 wrote to memory of 2876 2552 omsecor.exe 31 PID 2552 wrote to memory of 2876 2552 omsecor.exe 31 PID 2552 wrote to memory of 2876 2552 omsecor.exe 31 PID 2552 wrote to memory of 2876 2552 omsecor.exe 31 PID 2552 wrote to memory of 2876 2552 omsecor.exe 31 PID 2876 wrote to memory of 1964 2876 omsecor.exe 33 PID 2876 wrote to memory of 1964 2876 omsecor.exe 33 PID 2876 wrote to memory of 1964 2876 omsecor.exe 33 PID 2876 wrote to memory of 1964 2876 omsecor.exe 33 PID 1964 wrote to memory of 2812 1964 omsecor.exe 34 PID 1964 wrote to memory of 2812 1964 omsecor.exe 34 PID 1964 wrote to memory of 2812 1964 omsecor.exe 34 PID 1964 wrote to memory of 2812 1964 omsecor.exe 34 PID 1964 wrote to memory of 2812 1964 omsecor.exe 34 PID 1964 wrote to memory of 2812 1964 omsecor.exe 34 PID 2812 wrote to memory of 1428 2812 omsecor.exe 35 PID 2812 wrote to memory of 1428 2812 omsecor.exe 35 PID 2812 wrote to memory of 1428 2812 omsecor.exe 35 PID 2812 wrote to memory of 1428 2812 omsecor.exe 35 PID 1428 wrote to memory of 2936 1428 omsecor.exe 36 PID 1428 wrote to memory of 2936 1428 omsecor.exe 36 PID 1428 wrote to memory of 2936 1428 omsecor.exe 36 PID 1428 wrote to memory of 2936 1428 omsecor.exe 36 PID 1428 wrote to memory of 2936 1428 omsecor.exe 36 PID 1428 wrote to memory of 2936 1428 omsecor.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe"C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exeC:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5e6582fd2a53dd0fd69a510709218210c
SHA19d0785aab0572c6ad1f2c4ac05964cc3fde5b90c
SHA2562eefc66a4a30098447bae464b94a2ec1a8069309a2ac724dfa6146b9a00d7e5b
SHA5122e06bff8aa7a850336edc1ef3ce4cf7e11a776643c6bfd2999fbc5a06b1bdfc54ad7521b04fc240664e58c5e7a3c7f8eae907d56bb739e1dceac181771a180ae
-
Filesize
96KB
MD54321ddd4d771eabc4b55d43d53a96550
SHA1c5916542aacd25337befc660a6e50e3e9ba13f62
SHA256d33349a1f291d060372509f903803bdf7323f01187f17276dd53b058f9871f1c
SHA51265f4f7ab957c5b41a5f9abebbfa814afaf1bc0125b2944732b4006a7881f4b4abfc9e45249ce5cea305b7925827e31fa077a0770bc96413d1cd566deeacfe36f
-
Filesize
96KB
MD52b74deb9e19b361f8a47577dd4a8effd
SHA11bc4302eeea400a858651df57f79b1d5939af43d
SHA2568386806c972595cf57898a5be12e2d11e6301b5df892c27b5893b3245d796f99
SHA5127c19e22966f2142c38adb156903443ccc242a0bb0dcdfe545f2bb653a8011546b0f5d3bdcfe69ce1b2a48de8244e359c915276db04439f285a7f2c7c4ea0d571