Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 17:50
Static task
static1
Behavioral task
behavioral1
Sample
fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
Resource
win7-20240903-en
General
-
Target
fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe
-
Size
96KB
-
MD5
a63cd8ef554c8a42630a92a4fdde970c
-
SHA1
0530eb7362ca19d6aa953a7d35bbca034a01c751
-
SHA256
fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f
-
SHA512
567d55fae6070f24e6530079caade578961974ada1076f068183e8ee2ea6cc9c8b9d68f13751ea486a03420f26709089ef69a2e37b213a989be1a1c3d3ea7930
-
SSDEEP
1536:VnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:VGs8cd8eXlYairZYqMddH13r
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2688 omsecor.exe 2892 omsecor.exe 676 omsecor.exe 264 omsecor.exe 2244 omsecor.exe 2208 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2812 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 2812 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 2688 omsecor.exe 2892 omsecor.exe 2892 omsecor.exe 264 omsecor.exe 264 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2788 set thread context of 2812 2788 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 31 PID 2688 set thread context of 2892 2688 omsecor.exe 33 PID 676 set thread context of 264 676 omsecor.exe 36 PID 2244 set thread context of 2208 2244 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2812 2788 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 31 PID 2788 wrote to memory of 2812 2788 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 31 PID 2788 wrote to memory of 2812 2788 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 31 PID 2788 wrote to memory of 2812 2788 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 31 PID 2788 wrote to memory of 2812 2788 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 31 PID 2788 wrote to memory of 2812 2788 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 31 PID 2812 wrote to memory of 2688 2812 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 32 PID 2812 wrote to memory of 2688 2812 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 32 PID 2812 wrote to memory of 2688 2812 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 32 PID 2812 wrote to memory of 2688 2812 fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe 32 PID 2688 wrote to memory of 2892 2688 omsecor.exe 33 PID 2688 wrote to memory of 2892 2688 omsecor.exe 33 PID 2688 wrote to memory of 2892 2688 omsecor.exe 33 PID 2688 wrote to memory of 2892 2688 omsecor.exe 33 PID 2688 wrote to memory of 2892 2688 omsecor.exe 33 PID 2688 wrote to memory of 2892 2688 omsecor.exe 33 PID 2892 wrote to memory of 676 2892 omsecor.exe 35 PID 2892 wrote to memory of 676 2892 omsecor.exe 35 PID 2892 wrote to memory of 676 2892 omsecor.exe 35 PID 2892 wrote to memory of 676 2892 omsecor.exe 35 PID 676 wrote to memory of 264 676 omsecor.exe 36 PID 676 wrote to memory of 264 676 omsecor.exe 36 PID 676 wrote to memory of 264 676 omsecor.exe 36 PID 676 wrote to memory of 264 676 omsecor.exe 36 PID 676 wrote to memory of 264 676 omsecor.exe 36 PID 676 wrote to memory of 264 676 omsecor.exe 36 PID 264 wrote to memory of 2244 264 omsecor.exe 37 PID 264 wrote to memory of 2244 264 omsecor.exe 37 PID 264 wrote to memory of 2244 264 omsecor.exe 37 PID 264 wrote to memory of 2244 264 omsecor.exe 37 PID 2244 wrote to memory of 2208 2244 omsecor.exe 38 PID 2244 wrote to memory of 2208 2244 omsecor.exe 38 PID 2244 wrote to memory of 2208 2244 omsecor.exe 38 PID 2244 wrote to memory of 2208 2244 omsecor.exe 38 PID 2244 wrote to memory of 2208 2244 omsecor.exe 38 PID 2244 wrote to memory of 2208 2244 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe"C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exeC:\Users\Admin\AppData\Local\Temp\fe8ae4da8c94e22a13046c8f236c796647eba8aedcd64dc4d6798df8d5dd3c3f.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5578851fddd7b21fd7150f170fa0d7515
SHA10f23a7f6d78cfe276c2164d529c957b90d4c1d7e
SHA256ca0ca53e0fab32fae81d36e547a8545e409831245742badb091724f2b0bc23b8
SHA51213e6eda18ba946a44df3e9c6a41ce6c14fa3f7821eeba231207e0cf750607f16f275d13d9f39ba8f1a5344bc7ca582c1ee8a9caedb4356fdae3cac485f0ea525
-
Filesize
96KB
MD55bbac1be509af14adb7c39d74011088f
SHA159f32c2c3f457e39d34f2f205350ce1cb516f035
SHA25664c74061fe4becde5b8028ad651bf088dc1a772d75b0d43399107a2dd0a280d0
SHA5128f0c6c70d4df4c6e25dc930233180f979b75745b086d2c52a003c66fcf23f9b24bf4fbf7745c54c31e3c207e0bc83d4f131edff38c6f968526fe1fe201d10fe0
-
Filesize
96KB
MD5e00ba9345f7fe97ae8d61647cdb738ae
SHA1d57e4164332168457a610fd07085a9391ae45e21
SHA256d1c9e7345bd6c43cc97d21af1680d8c61ce20d96eaa0af1062e58243af29020f
SHA5127c33cc5356bf2c376402f3c1e7c578813a74eb63d545ab49c09d93de2c5500202e83d39a4b0ae0e77ce06219198dee868921f9213006529a6e3ead469dd98a71