Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/01/2025, 19:42
Static task
static1
Behavioral task
behavioral1
Sample
0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
Resource
win7-20240903-en
General
-
Target
0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
-
Size
96KB
-
MD5
702d7d818e2b3e5661a7c61433a20118
-
SHA1
1ffe06c9db1e8178806bfe02e971b17b261f7abc
-
SHA256
0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833
-
SHA512
7fa4b86a390a0a658f5f95edce7d731375cb36bdb9dde4bb4230441e83c51260c59c84b6c6291de8a0e6026c5f65c356244205943ef588cb2067550b79da8124
-
SSDEEP
1536:HnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:HGs8cd8eXlYairZYqMddH13r
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2360 omsecor.exe 2968 omsecor.exe 1908 omsecor.exe 2016 omsecor.exe 1852 omsecor.exe 2952 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2148 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 2148 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 2360 omsecor.exe 2968 omsecor.exe 2968 omsecor.exe 2016 omsecor.exe 2016 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2372 set thread context of 2148 2372 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 30 PID 2360 set thread context of 2968 2360 omsecor.exe 32 PID 1908 set thread context of 2016 1908 omsecor.exe 36 PID 1852 set thread context of 2952 1852 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2148 2372 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 30 PID 2372 wrote to memory of 2148 2372 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 30 PID 2372 wrote to memory of 2148 2372 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 30 PID 2372 wrote to memory of 2148 2372 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 30 PID 2372 wrote to memory of 2148 2372 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 30 PID 2372 wrote to memory of 2148 2372 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 30 PID 2148 wrote to memory of 2360 2148 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 31 PID 2148 wrote to memory of 2360 2148 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 31 PID 2148 wrote to memory of 2360 2148 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 31 PID 2148 wrote to memory of 2360 2148 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 31 PID 2360 wrote to memory of 2968 2360 omsecor.exe 32 PID 2360 wrote to memory of 2968 2360 omsecor.exe 32 PID 2360 wrote to memory of 2968 2360 omsecor.exe 32 PID 2360 wrote to memory of 2968 2360 omsecor.exe 32 PID 2360 wrote to memory of 2968 2360 omsecor.exe 32 PID 2360 wrote to memory of 2968 2360 omsecor.exe 32 PID 2968 wrote to memory of 1908 2968 omsecor.exe 35 PID 2968 wrote to memory of 1908 2968 omsecor.exe 35 PID 2968 wrote to memory of 1908 2968 omsecor.exe 35 PID 2968 wrote to memory of 1908 2968 omsecor.exe 35 PID 1908 wrote to memory of 2016 1908 omsecor.exe 36 PID 1908 wrote to memory of 2016 1908 omsecor.exe 36 PID 1908 wrote to memory of 2016 1908 omsecor.exe 36 PID 1908 wrote to memory of 2016 1908 omsecor.exe 36 PID 1908 wrote to memory of 2016 1908 omsecor.exe 36 PID 1908 wrote to memory of 2016 1908 omsecor.exe 36 PID 2016 wrote to memory of 1852 2016 omsecor.exe 37 PID 2016 wrote to memory of 1852 2016 omsecor.exe 37 PID 2016 wrote to memory of 1852 2016 omsecor.exe 37 PID 2016 wrote to memory of 1852 2016 omsecor.exe 37 PID 1852 wrote to memory of 2952 1852 omsecor.exe 38 PID 1852 wrote to memory of 2952 1852 omsecor.exe 38 PID 1852 wrote to memory of 2952 1852 omsecor.exe 38 PID 1852 wrote to memory of 2952 1852 omsecor.exe 38 PID 1852 wrote to memory of 2952 1852 omsecor.exe 38 PID 1852 wrote to memory of 2952 1852 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe"C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exeC:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5ae753e5386a5755c298250f922a62d8a
SHA175aee149c21d4df745f170fa8d67522a8b97ca23
SHA256aca3f9808ede1d037dbbe66d98a556c2844821b2405d92ef290f033fcf77d22d
SHA512a8b01c55bd1d5e2703544141bced2cd430234e082719b9428628b2cc4e8e4053cc0ebef7244d9d61f1a1797ded3c53aaa8760d1603ef933710c2930dcde9824b
-
Filesize
96KB
MD521d18d1e8d0d191947a83157bca1727c
SHA13baad5fa032d7e502b9b1783e74ce465c1b19afc
SHA2568012f3bf195a8529a2275248abc3e710ea80749b0df31cfddae0140e554426c6
SHA5120aee8b92989daede5cf361dd2b92ac44ef7e6bdfc0e469b1a6b946c03971b2b134cd145290338bd52871565b46c54256d41938efcfec1d9d9d0c49ec2eb391d4
-
Filesize
96KB
MD5d3b930c87d9ce38d03e57136321aa0fe
SHA15dd56fd50c61ebb42f3db2a33b45327c9b915abc
SHA25683eff4662c6decae57a74ffc840883e6c116a5987e0566d73b583b7eab85bb63
SHA512f71e933c38c164056b52626c8cb615f2a0e35dd2cc3945f812235b14daa79f77ad587bda167e003cac82433dfe3adca88cbc510b4aee1bcc10e3aebd99160e66