Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Resource
win7-20241023-en
General
-
Target
123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
-
Size
96KB
-
MD5
f52b87b3a347a98aaa214c53bbf3e320
-
SHA1
88f7e62d9b4acbb8b1a34c6c91929f4565797b4e
-
SHA256
123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0
-
SHA512
75b896379303f12c88f3b7097356df19662898761803d1cac699491a357f3bf3bdcc2487e187335983ef6c464f5eeb8e0aec47d4c866ae04246ccde05731bcf1
-
SSDEEP
1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:4Gs8cd8eXlYairZYqMddH13T
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2496 omsecor.exe 2476 omsecor.exe 340 omsecor.exe 1360 omsecor.exe 2388 omsecor.exe 2644 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 1464 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 1464 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 2496 omsecor.exe 2476 omsecor.exe 2476 omsecor.exe 1360 omsecor.exe 1360 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2596 set thread context of 1464 2596 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2496 set thread context of 2476 2496 omsecor.exe 32 PID 340 set thread context of 1360 340 omsecor.exe 36 PID 2388 set thread context of 2644 2388 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2596 wrote to memory of 1464 2596 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2596 wrote to memory of 1464 2596 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2596 wrote to memory of 1464 2596 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2596 wrote to memory of 1464 2596 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2596 wrote to memory of 1464 2596 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2596 wrote to memory of 1464 2596 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 1464 wrote to memory of 2496 1464 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 31 PID 1464 wrote to memory of 2496 1464 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 31 PID 1464 wrote to memory of 2496 1464 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 31 PID 1464 wrote to memory of 2496 1464 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 31 PID 2496 wrote to memory of 2476 2496 omsecor.exe 32 PID 2496 wrote to memory of 2476 2496 omsecor.exe 32 PID 2496 wrote to memory of 2476 2496 omsecor.exe 32 PID 2496 wrote to memory of 2476 2496 omsecor.exe 32 PID 2496 wrote to memory of 2476 2496 omsecor.exe 32 PID 2496 wrote to memory of 2476 2496 omsecor.exe 32 PID 2476 wrote to memory of 340 2476 omsecor.exe 35 PID 2476 wrote to memory of 340 2476 omsecor.exe 35 PID 2476 wrote to memory of 340 2476 omsecor.exe 35 PID 2476 wrote to memory of 340 2476 omsecor.exe 35 PID 340 wrote to memory of 1360 340 omsecor.exe 36 PID 340 wrote to memory of 1360 340 omsecor.exe 36 PID 340 wrote to memory of 1360 340 omsecor.exe 36 PID 340 wrote to memory of 1360 340 omsecor.exe 36 PID 340 wrote to memory of 1360 340 omsecor.exe 36 PID 340 wrote to memory of 1360 340 omsecor.exe 36 PID 1360 wrote to memory of 2388 1360 omsecor.exe 37 PID 1360 wrote to memory of 2388 1360 omsecor.exe 37 PID 1360 wrote to memory of 2388 1360 omsecor.exe 37 PID 1360 wrote to memory of 2388 1360 omsecor.exe 37 PID 2388 wrote to memory of 2644 2388 omsecor.exe 38 PID 2388 wrote to memory of 2644 2388 omsecor.exe 38 PID 2388 wrote to memory of 2644 2388 omsecor.exe 38 PID 2388 wrote to memory of 2644 2388 omsecor.exe 38 PID 2388 wrote to memory of 2644 2388 omsecor.exe 38 PID 2388 wrote to memory of 2644 2388 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exeC:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD53ed580a195e52b712ad98701276f22d8
SHA1fdba91bb0cdfcd6f2f65fb551baa744d98b634c6
SHA2568e4775af7a2110c3eb14285f90948e6933d1d9625c8391b76df32faea4436682
SHA512acc842831c96d1ccc40691b02154a7575c5ffbcf95bcb0970cbc8e9367b8de7798ec19d9a8564c344de7566bd8a548022c3c1d787be0915a5498023ac7b7c8ae
-
Filesize
96KB
MD5ef0c071e2cea3394bdbde5f74948ebe4
SHA1dcd1187d41fccbadec670f71ebed6f0086a281a5
SHA2565f5e7c04c27a9760b77295284bb852454264977218aca88af782d3f881ba7b3f
SHA512285751e66ef636a245e700518104f3343f8c0969d49a69f1159a1396f07856f64a26804498f2c1239c7bba37e9a090158cdba9ecd587c833bac36ba6e1f77ef1
-
Filesize
96KB
MD5eed3e179b422bdb3481db58c9047c542
SHA1f37eb9cc0f798a5a4eca5842e1a4531988208640
SHA256ed254031ab5995f8aafd28660a7b11179c4df91f5d69198fa82ac76e8bc03f58
SHA51226c0c860b320b420807e89aeb607ce87d1d85f2ff4a21e4ce333d58bb376c2a59d62273da7780c94d415143c02854b40eec2d0cd5b4560488524a6450744da46