Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 07:02
Static task
static1
Behavioral task
behavioral1
Sample
6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
Resource
win7-20240729-en
General
-
Target
6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
-
Size
96KB
-
MD5
6d3dc9d6bd7adee40728b253e2eb0780
-
SHA1
a86a05578acb4d0627f7d85af8a39433da702194
-
SHA256
6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147b
-
SHA512
bf635ffe96a0b02ed884ad962d023f204bbe1d7a33fddc951cf1fcd34b7abc304ca5345287dd823c5413944433b3a14a358307fd0829dc29f3fe768e2fc48357
-
SSDEEP
1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:4Gs8cd8eXlYairZYqMddH13r
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2740 omsecor.exe 2672 omsecor.exe 532 omsecor.exe 1092 omsecor.exe 2032 omsecor.exe 2176 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2084 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 2084 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 2740 omsecor.exe 2672 omsecor.exe 2672 omsecor.exe 1092 omsecor.exe 1092 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2848 set thread context of 2084 2848 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 31 PID 2740 set thread context of 2672 2740 omsecor.exe 33 PID 532 set thread context of 1092 532 omsecor.exe 37 PID 2032 set thread context of 2176 2032 omsecor.exe 39 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2084 2848 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 31 PID 2848 wrote to memory of 2084 2848 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 31 PID 2848 wrote to memory of 2084 2848 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 31 PID 2848 wrote to memory of 2084 2848 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 31 PID 2848 wrote to memory of 2084 2848 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 31 PID 2848 wrote to memory of 2084 2848 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 31 PID 2084 wrote to memory of 2740 2084 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 32 PID 2084 wrote to memory of 2740 2084 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 32 PID 2084 wrote to memory of 2740 2084 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 32 PID 2084 wrote to memory of 2740 2084 6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe 32 PID 2740 wrote to memory of 2672 2740 omsecor.exe 33 PID 2740 wrote to memory of 2672 2740 omsecor.exe 33 PID 2740 wrote to memory of 2672 2740 omsecor.exe 33 PID 2740 wrote to memory of 2672 2740 omsecor.exe 33 PID 2740 wrote to memory of 2672 2740 omsecor.exe 33 PID 2740 wrote to memory of 2672 2740 omsecor.exe 33 PID 2672 wrote to memory of 532 2672 omsecor.exe 36 PID 2672 wrote to memory of 532 2672 omsecor.exe 36 PID 2672 wrote to memory of 532 2672 omsecor.exe 36 PID 2672 wrote to memory of 532 2672 omsecor.exe 36 PID 532 wrote to memory of 1092 532 omsecor.exe 37 PID 532 wrote to memory of 1092 532 omsecor.exe 37 PID 532 wrote to memory of 1092 532 omsecor.exe 37 PID 532 wrote to memory of 1092 532 omsecor.exe 37 PID 532 wrote to memory of 1092 532 omsecor.exe 37 PID 532 wrote to memory of 1092 532 omsecor.exe 37 PID 1092 wrote to memory of 2032 1092 omsecor.exe 38 PID 1092 wrote to memory of 2032 1092 omsecor.exe 38 PID 1092 wrote to memory of 2032 1092 omsecor.exe 38 PID 1092 wrote to memory of 2032 1092 omsecor.exe 38 PID 2032 wrote to memory of 2176 2032 omsecor.exe 39 PID 2032 wrote to memory of 2176 2032 omsecor.exe 39 PID 2032 wrote to memory of 2176 2032 omsecor.exe 39 PID 2032 wrote to memory of 2176 2032 omsecor.exe 39 PID 2032 wrote to memory of 2176 2032 omsecor.exe 39 PID 2032 wrote to memory of 2176 2032 omsecor.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe"C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exeC:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5df24be91929341411994d9c5d5df22c9
SHA1c947478174e353d33dad3244fc79ddae1be3e703
SHA256bb5f489b34c4001feae77f356975ffe2007b2c566820753122ced0ffc504a268
SHA512088f54fd412db3564f1be4e0ce79ad305cee6cae65ef3e65dcc3aa003927e0ddecf99326f789fb199988de5428eb0f4d451bc0cec1d82f417a61e148ea3c54ec
-
Filesize
96KB
MD541a6673d119cdf2895589c85f051f65f
SHA1af37d1379249a27136beb92dc42b6e6fe1ad8e87
SHA256e8cc541546d613b59e1af9f0363ae86243d52254ea1815b479173f3fa220e469
SHA5124049e802357dc5a24257b32b673a00cc0ef21cde0bc93ba81455bb608f0e0a2c8920d8996fff8ab11cf1b47cfba69eb717ff8f5a3429117e7413d1f2f3e5d905
-
Filesize
96KB
MD5966e0a1ac38082ce57faa597403082db
SHA1300ba3db9f9305e31cc80e90d23e2d753f071b72
SHA2566d2a8e5251c2b3a2bb0298f06d913a57355e3f72ef606744fa79bc86a3a71ba7
SHA51293d4ba0bd007c735c38d78129ca14d01b738e7cc307b8f28f5043f8bdf12849adfb721321f00ff05cc227c79182bbf2da63f70f31f3fa841f084dd56605b762a