Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/01/2025, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
Resource
win7-20240903-en
General
-
Target
33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
-
Size
96KB
-
MD5
8cf5d2de5a442b238701e0c509d5dbed
-
SHA1
5621535b5949f5ab0b93de04939da73d4efb3720
-
SHA256
33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b
-
SHA512
aec251a989d46f3cb7949574b0c46dce0ca003bab515c8b5cae44442411f0deb5d857ebe3a754439ef4aec15287c9367467c799fbeeb01a6216a58e4cbdba35c
-
SSDEEP
1536:7nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:7Gs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 1988 omsecor.exe 2912 omsecor.exe 2228 omsecor.exe 1960 omsecor.exe 3016 omsecor.exe 2088 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2904 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 2904 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 1988 omsecor.exe 2912 omsecor.exe 2912 omsecor.exe 1960 omsecor.exe 1960 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2816 set thread context of 2904 2816 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 1988 set thread context of 2912 1988 omsecor.exe 32 PID 2228 set thread context of 1960 2228 omsecor.exe 36 PID 3016 set thread context of 2088 3016 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2904 2816 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 2816 wrote to memory of 2904 2816 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 2816 wrote to memory of 2904 2816 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 2816 wrote to memory of 2904 2816 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 2816 wrote to memory of 2904 2816 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 2816 wrote to memory of 2904 2816 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 30 PID 2904 wrote to memory of 1988 2904 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 31 PID 2904 wrote to memory of 1988 2904 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 31 PID 2904 wrote to memory of 1988 2904 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 31 PID 2904 wrote to memory of 1988 2904 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 31 PID 1988 wrote to memory of 2912 1988 omsecor.exe 32 PID 1988 wrote to memory of 2912 1988 omsecor.exe 32 PID 1988 wrote to memory of 2912 1988 omsecor.exe 32 PID 1988 wrote to memory of 2912 1988 omsecor.exe 32 PID 1988 wrote to memory of 2912 1988 omsecor.exe 32 PID 1988 wrote to memory of 2912 1988 omsecor.exe 32 PID 2912 wrote to memory of 2228 2912 omsecor.exe 35 PID 2912 wrote to memory of 2228 2912 omsecor.exe 35 PID 2912 wrote to memory of 2228 2912 omsecor.exe 35 PID 2912 wrote to memory of 2228 2912 omsecor.exe 35 PID 2228 wrote to memory of 1960 2228 omsecor.exe 36 PID 2228 wrote to memory of 1960 2228 omsecor.exe 36 PID 2228 wrote to memory of 1960 2228 omsecor.exe 36 PID 2228 wrote to memory of 1960 2228 omsecor.exe 36 PID 2228 wrote to memory of 1960 2228 omsecor.exe 36 PID 2228 wrote to memory of 1960 2228 omsecor.exe 36 PID 1960 wrote to memory of 3016 1960 omsecor.exe 37 PID 1960 wrote to memory of 3016 1960 omsecor.exe 37 PID 1960 wrote to memory of 3016 1960 omsecor.exe 37 PID 1960 wrote to memory of 3016 1960 omsecor.exe 37 PID 3016 wrote to memory of 2088 3016 omsecor.exe 38 PID 3016 wrote to memory of 2088 3016 omsecor.exe 38 PID 3016 wrote to memory of 2088 3016 omsecor.exe 38 PID 3016 wrote to memory of 2088 3016 omsecor.exe 38 PID 3016 wrote to memory of 2088 3016 omsecor.exe 38 PID 3016 wrote to memory of 2088 3016 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe"C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exeC:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5e6582fd2a53dd0fd69a510709218210c
SHA19d0785aab0572c6ad1f2c4ac05964cc3fde5b90c
SHA2562eefc66a4a30098447bae464b94a2ec1a8069309a2ac724dfa6146b9a00d7e5b
SHA5122e06bff8aa7a850336edc1ef3ce4cf7e11a776643c6bfd2999fbc5a06b1bdfc54ad7521b04fc240664e58c5e7a3c7f8eae907d56bb739e1dceac181771a180ae
-
Filesize
96KB
MD5caad36879b75e74be17248f1cb9199e8
SHA109c99335e319934ea7ee19b05cac4a0742600c98
SHA25631d26a5e51a2de1e5c4c7e6fa80c2fe03f48732beebd3c5061f4b08a69a380b1
SHA51252daae954888cda25ce900709257a1876ff312d388b694a9b67858681c850bdbc02b18b097803fbf8c41f76d10cf08841a406f000217e384c5f9ba69461c4a6f
-
Filesize
96KB
MD504699e9bee90c5a22a8ffe52614c13ed
SHA15f144820030a58e96cb24d091d10cd63eda2a3fd
SHA25661217beb0223f89bd5a224c5e41eadba013c32e9236caff3d720ed344b37d69c
SHA5122b229c38683c8a32c2270dc0edf7052869217ad3838546b11117c88062b698bcae76ecf0b704a7ada3dbbfa70dd041b292b76aff26a668dd19bdb077174c10db