Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
Resource
win7-20240903-en
General
-
Target
ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
-
Size
96KB
-
MD5
4fdc5b677988c7885e6b14e5a0c505c0
-
SHA1
14880f4ab2c99d1ca349809190b4bc71b8cb94ea
-
SHA256
ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3
-
SHA512
59831e9966e15e173a5b00c9fe8c03937c4a5d037a496cd99e4d92448d469c7375020eee5a7a542340d978d58087d389716de4ad5eb2a2056adae9bdb837971b
-
SSDEEP
1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxO:LGs8cd8eXlYairZYqMddH13O
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2120 omsecor.exe 2924 omsecor.exe 2796 omsecor.exe 2000 omsecor.exe 2944 omsecor.exe 2464 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2488 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 2488 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 2120 omsecor.exe 2924 omsecor.exe 2924 omsecor.exe 2000 omsecor.exe 2000 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1696 set thread context of 2488 1696 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 30 PID 2120 set thread context of 2924 2120 omsecor.exe 32 PID 2796 set thread context of 2000 2796 omsecor.exe 36 PID 2944 set thread context of 2464 2944 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2488 1696 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 30 PID 1696 wrote to memory of 2488 1696 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 30 PID 1696 wrote to memory of 2488 1696 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 30 PID 1696 wrote to memory of 2488 1696 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 30 PID 1696 wrote to memory of 2488 1696 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 30 PID 1696 wrote to memory of 2488 1696 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 30 PID 2488 wrote to memory of 2120 2488 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 31 PID 2488 wrote to memory of 2120 2488 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 31 PID 2488 wrote to memory of 2120 2488 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 31 PID 2488 wrote to memory of 2120 2488 ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe 31 PID 2120 wrote to memory of 2924 2120 omsecor.exe 32 PID 2120 wrote to memory of 2924 2120 omsecor.exe 32 PID 2120 wrote to memory of 2924 2120 omsecor.exe 32 PID 2120 wrote to memory of 2924 2120 omsecor.exe 32 PID 2120 wrote to memory of 2924 2120 omsecor.exe 32 PID 2120 wrote to memory of 2924 2120 omsecor.exe 32 PID 2924 wrote to memory of 2796 2924 omsecor.exe 35 PID 2924 wrote to memory of 2796 2924 omsecor.exe 35 PID 2924 wrote to memory of 2796 2924 omsecor.exe 35 PID 2924 wrote to memory of 2796 2924 omsecor.exe 35 PID 2796 wrote to memory of 2000 2796 omsecor.exe 36 PID 2796 wrote to memory of 2000 2796 omsecor.exe 36 PID 2796 wrote to memory of 2000 2796 omsecor.exe 36 PID 2796 wrote to memory of 2000 2796 omsecor.exe 36 PID 2796 wrote to memory of 2000 2796 omsecor.exe 36 PID 2796 wrote to memory of 2000 2796 omsecor.exe 36 PID 2000 wrote to memory of 2944 2000 omsecor.exe 37 PID 2000 wrote to memory of 2944 2000 omsecor.exe 37 PID 2000 wrote to memory of 2944 2000 omsecor.exe 37 PID 2000 wrote to memory of 2944 2000 omsecor.exe 37 PID 2944 wrote to memory of 2464 2944 omsecor.exe 38 PID 2944 wrote to memory of 2464 2944 omsecor.exe 38 PID 2944 wrote to memory of 2464 2944 omsecor.exe 38 PID 2944 wrote to memory of 2464 2944 omsecor.exe 38 PID 2944 wrote to memory of 2464 2944 omsecor.exe 38 PID 2944 wrote to memory of 2464 2944 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe"C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exeC:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD54124807dc4306feab598aadbce7409f8
SHA102f818dae5160c130f63cb6280e2666ba6d144f5
SHA2566d4390d6050a19e0ecb040f0d2fe7a84909b59bb34d35de7816dd0b8bcd2b2f8
SHA51243d7930035a128084880907f3c1a5f2e468fba57629bb4bbe65c0f515b03177aa0aced2299c51c18f5d640940b70af0d7b939341e5d3e4dcba190505e8dc290d
-
Filesize
96KB
MD5f06be528fdf6a85594028d7cad94629f
SHA16993afc243aeada9e1e724e6b5285d93cce7f511
SHA256c9405a6123ce8f1d33ef9356c9c1068a5ab77cb5e816106078f755d1eeeda386
SHA512acdd4e32a9cd2b910a620287cd7d1cc0ea93bf83dabe32e1cf29385d03882159a3595a06fcf048c0ff9e3a8dd251bdeab9054571cccff075ea2cf88ecd9d2362
-
Filesize
96KB
MD592ac9be63bd5ab7a01041c36f2f2e059
SHA16e09c36826ea47b652a19b62ab48ed4e60d7ea4a
SHA2565b71081a181d0ba5aa343c182bb285e5c70aa5804fd3103dcb5bb77d8f993fe9
SHA512d9125bf6eeb0ebf50bd8948d98e447fbb8c1566189fbaab4c4ac0f1409ebbc163738bcf0eee20b81d172b7c83b06e31842d629c302d07c6348684959bb0189cc