Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
Resource
win7-20240729-en
General
-
Target
3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
-
Size
96KB
-
MD5
1ed206ccb847192d9a5bc700d2ce9f30
-
SHA1
8cd8f19f39ba976f4ae5260aa247b534dc78a7f7
-
SHA256
3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022ae
-
SHA512
ff27ddf559984e66e34dec8e88ba876a92b0103921bb0bbe53eabefc015079bf9ba6ed43d595ffcfb6b730a591a5fbc3e1e07e2ed21a01605f2e125e8c67a42a
-
SSDEEP
1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:4Gs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2748 omsecor.exe 2708 omsecor.exe 3036 omsecor.exe 2008 omsecor.exe 484 omsecor.exe 1836 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2692 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 2692 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 2748 omsecor.exe 2708 omsecor.exe 2708 omsecor.exe 2008 omsecor.exe 2008 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2236 set thread context of 2692 2236 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 30 PID 2748 set thread context of 2708 2748 omsecor.exe 32 PID 3036 set thread context of 2008 3036 omsecor.exe 35 PID 484 set thread context of 1836 484 omsecor.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2692 2236 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 30 PID 2236 wrote to memory of 2692 2236 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 30 PID 2236 wrote to memory of 2692 2236 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 30 PID 2236 wrote to memory of 2692 2236 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 30 PID 2236 wrote to memory of 2692 2236 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 30 PID 2236 wrote to memory of 2692 2236 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 30 PID 2692 wrote to memory of 2748 2692 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 31 PID 2692 wrote to memory of 2748 2692 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 31 PID 2692 wrote to memory of 2748 2692 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 31 PID 2692 wrote to memory of 2748 2692 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 31 PID 2748 wrote to memory of 2708 2748 omsecor.exe 32 PID 2748 wrote to memory of 2708 2748 omsecor.exe 32 PID 2748 wrote to memory of 2708 2748 omsecor.exe 32 PID 2748 wrote to memory of 2708 2748 omsecor.exe 32 PID 2748 wrote to memory of 2708 2748 omsecor.exe 32 PID 2748 wrote to memory of 2708 2748 omsecor.exe 32 PID 2708 wrote to memory of 3036 2708 omsecor.exe 34 PID 2708 wrote to memory of 3036 2708 omsecor.exe 34 PID 2708 wrote to memory of 3036 2708 omsecor.exe 34 PID 2708 wrote to memory of 3036 2708 omsecor.exe 34 PID 3036 wrote to memory of 2008 3036 omsecor.exe 35 PID 3036 wrote to memory of 2008 3036 omsecor.exe 35 PID 3036 wrote to memory of 2008 3036 omsecor.exe 35 PID 3036 wrote to memory of 2008 3036 omsecor.exe 35 PID 3036 wrote to memory of 2008 3036 omsecor.exe 35 PID 3036 wrote to memory of 2008 3036 omsecor.exe 35 PID 2008 wrote to memory of 484 2008 omsecor.exe 36 PID 2008 wrote to memory of 484 2008 omsecor.exe 36 PID 2008 wrote to memory of 484 2008 omsecor.exe 36 PID 2008 wrote to memory of 484 2008 omsecor.exe 36 PID 484 wrote to memory of 1836 484 omsecor.exe 37 PID 484 wrote to memory of 1836 484 omsecor.exe 37 PID 484 wrote to memory of 1836 484 omsecor.exe 37 PID 484 wrote to memory of 1836 484 omsecor.exe 37 PID 484 wrote to memory of 1836 484 omsecor.exe 37 PID 484 wrote to memory of 1836 484 omsecor.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe"C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exeC:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1836
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5a0ead96d1e0386ae43357e8f63063aed
SHA1a53b914be998d10cc704c35652099cc9d2fe75b4
SHA256e7481098956298c6a44546f7a270db4a72c40876e268298df7c5455282855717
SHA51219770f5f8aa2fc749322ca010cab8a156c012f0b01b68edbff926d4fb5bce142157a1fb541ad21f104ae0a6a29e7e8ed2e0414299e336ccca88bdecf8b64aca5
-
Filesize
96KB
MD5da8034b506342218c1b5d69cd693d721
SHA139468ba17368db2515c6acca884ac8a546942b78
SHA256a072734720a832eb10ab026d7057b3faef8e90a27c025306f4c85ad14ac03010
SHA512dd0905fd5338cdce4ccad031d548bb78e0abd885ce47a153633a3402bbb7ce2efa5ae536894a7738c25c5ca4a76b5ed0fa8c12ee4ff005bd96037e5268afc651
-
Filesize
96KB
MD56de28978390db502c2cb55f0de00c377
SHA102f1af088463db7ef33b51a70e4fa9090d13135f
SHA25627a12f3445d31f36fb9940078330f8b9cb161bddc27fae34e86b7be90c821cab
SHA51208cd5eb158c4261f8c52f12f9859c178354c2a4675c07d519c47d17d0ae490dcee0d068425fa5e3a86bd91db05733351516bbf0b99ab7dce214a018371ade2d1