Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 08:05
Static task
static1
Behavioral task
behavioral1
Sample
59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
Resource
win7-20240903-en
General
-
Target
59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
-
Size
96KB
-
MD5
8b2b21eebd1bb8f8765fff013b065ad0
-
SHA1
d838fa05cc4652376e0af6ec511417e5be1b68a3
-
SHA256
59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250
-
SHA512
d5e7ceac818d5cd23e53e999ce4f6633aaa4bfdb0838a3d59e11d1827fcab1d2d226fcab129a0a09a32c95fb672c08e3b2b843ef711c9ae6e60f3ad627df68dd
-
SSDEEP
1536:xnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:xGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2716 omsecor.exe 2724 omsecor.exe 2120 omsecor.exe 2040 omsecor.exe 2196 omsecor.exe 2332 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2692 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 2692 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 2716 omsecor.exe 2724 omsecor.exe 2724 omsecor.exe 2040 omsecor.exe 2040 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2252 set thread context of 2692 2252 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 30 PID 2716 set thread context of 2724 2716 omsecor.exe 32 PID 2120 set thread context of 2040 2120 omsecor.exe 36 PID 2196 set thread context of 2332 2196 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2692 2252 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 30 PID 2252 wrote to memory of 2692 2252 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 30 PID 2252 wrote to memory of 2692 2252 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 30 PID 2252 wrote to memory of 2692 2252 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 30 PID 2252 wrote to memory of 2692 2252 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 30 PID 2252 wrote to memory of 2692 2252 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 30 PID 2692 wrote to memory of 2716 2692 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 31 PID 2692 wrote to memory of 2716 2692 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 31 PID 2692 wrote to memory of 2716 2692 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 31 PID 2692 wrote to memory of 2716 2692 59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe 31 PID 2716 wrote to memory of 2724 2716 omsecor.exe 32 PID 2716 wrote to memory of 2724 2716 omsecor.exe 32 PID 2716 wrote to memory of 2724 2716 omsecor.exe 32 PID 2716 wrote to memory of 2724 2716 omsecor.exe 32 PID 2716 wrote to memory of 2724 2716 omsecor.exe 32 PID 2716 wrote to memory of 2724 2716 omsecor.exe 32 PID 2724 wrote to memory of 2120 2724 omsecor.exe 35 PID 2724 wrote to memory of 2120 2724 omsecor.exe 35 PID 2724 wrote to memory of 2120 2724 omsecor.exe 35 PID 2724 wrote to memory of 2120 2724 omsecor.exe 35 PID 2120 wrote to memory of 2040 2120 omsecor.exe 36 PID 2120 wrote to memory of 2040 2120 omsecor.exe 36 PID 2120 wrote to memory of 2040 2120 omsecor.exe 36 PID 2120 wrote to memory of 2040 2120 omsecor.exe 36 PID 2120 wrote to memory of 2040 2120 omsecor.exe 36 PID 2120 wrote to memory of 2040 2120 omsecor.exe 36 PID 2040 wrote to memory of 2196 2040 omsecor.exe 37 PID 2040 wrote to memory of 2196 2040 omsecor.exe 37 PID 2040 wrote to memory of 2196 2040 omsecor.exe 37 PID 2040 wrote to memory of 2196 2040 omsecor.exe 37 PID 2196 wrote to memory of 2332 2196 omsecor.exe 38 PID 2196 wrote to memory of 2332 2196 omsecor.exe 38 PID 2196 wrote to memory of 2332 2196 omsecor.exe 38 PID 2196 wrote to memory of 2332 2196 omsecor.exe 38 PID 2196 wrote to memory of 2332 2196 omsecor.exe 38 PID 2196 wrote to memory of 2332 2196 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe"C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exeC:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5d50b0bea50f7465cc517056daf3246d6
SHA1a7951b8b88b403b49fa2d7f90afd3579a634bbb5
SHA2562ecd9bdc1d1fa15698b152a7d56348423632ba4b0c3b17a7a106081dac5e0abf
SHA512f4e7faa335caeb3b4a8c2281f5fe5c9cdbbb8c8d9b01640fcf87059f09f89e46a005821c61b5b4ce490a8a0ae4307cd01866b90c68974088411d13132db6692f
-
Filesize
96KB
MD5a1630f0e69f1b4b359f65ad94f2f1f04
SHA124e7033338976a695c0789b342b19ff9ea1c9b07
SHA25654e755616171a813a17afac8348ee09c1961b24803e694949be0ff23e4a0ea0b
SHA51258b1459a89cb4273bb36d02f83350c0d31c91064f5425bf40b29c32dfd031a6bd2f65781e001261bdcbd1da503522ca22ab0e25104f34b429ef007938be85f36
-
Filesize
96KB
MD5db8a72c27a825aea46eeebcdb80c4b32
SHA1fc7609313a90eb1e5a3db4b1b1db048b380f1b5a
SHA2565eda90176feb89c75074f57e0326b81fbadf3eb103127faa318049710f55b78d
SHA51206556cd47fcbdbdae5ee2ed3a555f78d5f3e7823d6947cc22cbd5af775ee9172876d1e187f9a2f73ea5c3b0eb1c838edd76405631b8b4c58b42cddf43137da07