Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10/01/2025, 03:12
Static task
static1
Behavioral task
behavioral1
Sample
7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
Resource
win7-20241023-en
General
-
Target
7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
-
Size
96KB
-
MD5
91de4d3077d1c1beab2298acba54cab6
-
SHA1
ae455abf836a7955ec04d529f99fe68e10556d6d
-
SHA256
7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1
-
SHA512
d655e8c4b8164bf5d6366839be8dd22e3949ffe2edd61607134f8c0b0c8f7f518c1f03bf01f5593c3160a93296afa717a6dff9ac7518331be46776c6c496b9d4
-
SSDEEP
1536:vnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:vGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 1264 omsecor.exe 2008 omsecor.exe 532 omsecor.exe 2028 omsecor.exe 1604 omsecor.exe 2276 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2632 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 2632 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 1264 omsecor.exe 2008 omsecor.exe 2008 omsecor.exe 2028 omsecor.exe 2028 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1832 set thread context of 2632 1832 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 30 PID 1264 set thread context of 2008 1264 omsecor.exe 32 PID 532 set thread context of 2028 532 omsecor.exe 36 PID 1604 set thread context of 2276 1604 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1832 wrote to memory of 2632 1832 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 30 PID 1832 wrote to memory of 2632 1832 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 30 PID 1832 wrote to memory of 2632 1832 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 30 PID 1832 wrote to memory of 2632 1832 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 30 PID 1832 wrote to memory of 2632 1832 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 30 PID 1832 wrote to memory of 2632 1832 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 30 PID 2632 wrote to memory of 1264 2632 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 31 PID 2632 wrote to memory of 1264 2632 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 31 PID 2632 wrote to memory of 1264 2632 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 31 PID 2632 wrote to memory of 1264 2632 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 31 PID 1264 wrote to memory of 2008 1264 omsecor.exe 32 PID 1264 wrote to memory of 2008 1264 omsecor.exe 32 PID 1264 wrote to memory of 2008 1264 omsecor.exe 32 PID 1264 wrote to memory of 2008 1264 omsecor.exe 32 PID 1264 wrote to memory of 2008 1264 omsecor.exe 32 PID 1264 wrote to memory of 2008 1264 omsecor.exe 32 PID 2008 wrote to memory of 532 2008 omsecor.exe 35 PID 2008 wrote to memory of 532 2008 omsecor.exe 35 PID 2008 wrote to memory of 532 2008 omsecor.exe 35 PID 2008 wrote to memory of 532 2008 omsecor.exe 35 PID 532 wrote to memory of 2028 532 omsecor.exe 36 PID 532 wrote to memory of 2028 532 omsecor.exe 36 PID 532 wrote to memory of 2028 532 omsecor.exe 36 PID 532 wrote to memory of 2028 532 omsecor.exe 36 PID 532 wrote to memory of 2028 532 omsecor.exe 36 PID 532 wrote to memory of 2028 532 omsecor.exe 36 PID 2028 wrote to memory of 1604 2028 omsecor.exe 37 PID 2028 wrote to memory of 1604 2028 omsecor.exe 37 PID 2028 wrote to memory of 1604 2028 omsecor.exe 37 PID 2028 wrote to memory of 1604 2028 omsecor.exe 37 PID 1604 wrote to memory of 2276 1604 omsecor.exe 38 PID 1604 wrote to memory of 2276 1604 omsecor.exe 38 PID 1604 wrote to memory of 2276 1604 omsecor.exe 38 PID 1604 wrote to memory of 2276 1604 omsecor.exe 38 PID 1604 wrote to memory of 2276 1604 omsecor.exe 38 PID 1604 wrote to memory of 2276 1604 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe"C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exeC:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5d579a6df3c6b1f9f44999db4a1158cbf
SHA134f504e1f221cb2051e9b1074de8231729ef64c3
SHA256fa6d702d455514b98998fbbbdf22ee258e5be281f4d20c60c5cbfd395b5bbf48
SHA5127d90c219423ba0cc25ed1094c36b2d13ea7cb01e7010dbce0b3cb634b105ea19f441d5d9c8f5b3074b270a88d0c9c83a0663c9a1fdc8ed008e917f4786fa0374
-
Filesize
96KB
MD5a917b9eece10e40f46ceded24557a52d
SHA106b3270e31c8642d941cc0540079a7fd095e6547
SHA25669d04ebd8aa9f71a5db05b7e62bd9781423c5fc0302f0734d7cd8cc9b1a203b5
SHA5129617a91563c29c336e9d1339b06e9de54938ef04a92de365a1f3bf6fd41f890b1c474713f726224a51cdbd7c7a5ce4201a26ba16383dd6ae8ac911b893f06405
-
Filesize
96KB
MD536fcbbcaab2e76b1de2d1f0ba1c3a562
SHA108f7144e457bde5bc1a488f36441ff8e57e31bf0
SHA256f8e1d695d3bf2414991801e3b8437041b27d6a46ad88bb69ecbc193ac8aa1606
SHA512729580c18e84c09aee86a506f6df628d76866d545cb7141236825d9b0a55f37fb3508ee9524e5799c26275de22cf1aba5785acb973000dcd53b97ea6a52c3acb