Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 11:39
Static task
static1
Behavioral task
behavioral1
Sample
3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe
Resource
win7-20241010-en
General
-
Target
3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe
-
Size
96KB
-
MD5
a81d20fbc59985a3b7db87bbfaee5fe0
-
SHA1
8b7cbd78491f5dbc93c912a7464a9d3baff85ba6
-
SHA256
3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3
-
SHA512
035f5e0ef094134c32f47754d3692f36ea88f9ff54c77cdd17c4bef0281b000edf3b5c3d949e00ccb3d0e26b8566114a87ab4590cb8edc6d5a48a301f1f64128
-
SSDEEP
1536:GnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:GGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2448 omsecor.exe 2948 omsecor.exe 2064 omsecor.exe 2016 omsecor.exe 1448 omsecor.exe 1744 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 3008 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 3008 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 2448 omsecor.exe 2948 omsecor.exe 2948 omsecor.exe 2016 omsecor.exe 2016 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2660 set thread context of 3008 2660 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 29 PID 2448 set thread context of 2948 2448 omsecor.exe 31 PID 2064 set thread context of 2016 2064 omsecor.exe 34 PID 1448 set thread context of 1744 1448 omsecor.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2660 wrote to memory of 3008 2660 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 29 PID 2660 wrote to memory of 3008 2660 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 29 PID 2660 wrote to memory of 3008 2660 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 29 PID 2660 wrote to memory of 3008 2660 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 29 PID 2660 wrote to memory of 3008 2660 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 29 PID 2660 wrote to memory of 3008 2660 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 29 PID 3008 wrote to memory of 2448 3008 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 30 PID 3008 wrote to memory of 2448 3008 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 30 PID 3008 wrote to memory of 2448 3008 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 30 PID 3008 wrote to memory of 2448 3008 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 30 PID 2448 wrote to memory of 2948 2448 omsecor.exe 31 PID 2448 wrote to memory of 2948 2448 omsecor.exe 31 PID 2448 wrote to memory of 2948 2448 omsecor.exe 31 PID 2448 wrote to memory of 2948 2448 omsecor.exe 31 PID 2448 wrote to memory of 2948 2448 omsecor.exe 31 PID 2448 wrote to memory of 2948 2448 omsecor.exe 31 PID 2948 wrote to memory of 2064 2948 omsecor.exe 33 PID 2948 wrote to memory of 2064 2948 omsecor.exe 33 PID 2948 wrote to memory of 2064 2948 omsecor.exe 33 PID 2948 wrote to memory of 2064 2948 omsecor.exe 33 PID 2064 wrote to memory of 2016 2064 omsecor.exe 34 PID 2064 wrote to memory of 2016 2064 omsecor.exe 34 PID 2064 wrote to memory of 2016 2064 omsecor.exe 34 PID 2064 wrote to memory of 2016 2064 omsecor.exe 34 PID 2064 wrote to memory of 2016 2064 omsecor.exe 34 PID 2064 wrote to memory of 2016 2064 omsecor.exe 34 PID 2016 wrote to memory of 1448 2016 omsecor.exe 35 PID 2016 wrote to memory of 1448 2016 omsecor.exe 35 PID 2016 wrote to memory of 1448 2016 omsecor.exe 35 PID 2016 wrote to memory of 1448 2016 omsecor.exe 35 PID 1448 wrote to memory of 1744 1448 omsecor.exe 36 PID 1448 wrote to memory of 1744 1448 omsecor.exe 36 PID 1448 wrote to memory of 1744 1448 omsecor.exe 36 PID 1448 wrote to memory of 1744 1448 omsecor.exe 36 PID 1448 wrote to memory of 1744 1448 omsecor.exe 36 PID 1448 wrote to memory of 1744 1448 omsecor.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe"C:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exeC:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD541727eb08ad5cbef79d109b0b24dbd3b
SHA1125a88131440768053ab0bd76a2b0808897c2744
SHA256b37c2272f536f2a8f57eb7414e91407a4b3c10faa6a029ba0d7fee5281990265
SHA5128d26d4038dc05390af1f2704a1bac0e927af444b949f2c72c1a09a87a318a1ceb5511c96d9d553dc536835c58f2ede4f28b4d3412251e64ec1e047d5b147e1e5
-
Filesize
96KB
MD54e9e560ba2df60a8d7fd9221f0d7cd31
SHA145d7df9af9f7614d8498a383f9e3aa5e97003121
SHA25646d86820e33db1433ca173c5f6f5de2848431d691ceab999aa19fd347f6d7a12
SHA5129b25fdf4af733f35b871feb712b60f2550ec3c91674961ba46b3b70de59e836e6e8f48ca6c92037b20f837921392e8e253b63d9d74ab5700f0d34c60c3d32718
-
Filesize
96KB
MD5ef25274211f3af02b3c950976a45ba21
SHA15ece2b15dc3136c6c6071040d6a17c43eda1be05
SHA2561b4b34834fd5bfcf9329e07c0163e50ca22ca174d0fb1001c2d9431ce0e67268
SHA51226a1ee6ab8af7b12e6cc90f76763035bcd4cb2fa87823787acff584f87b0a76f15fd98606f47848f902f8b9ba32cebc74c2f9a47c20e444cf2e8687fd8f474e5