Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe
Resource
win7-20240903-en
General
-
Target
196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe
-
Size
96KB
-
MD5
a8c0fcc2af31901e2a529fc64ae8cc81
-
SHA1
29b1dc02e111ef01c0963f650d9436cd0f0d4278
-
SHA256
196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432
-
SHA512
ac1486b5db71b9a3f56ee88e6321f595649691adc9c62908ba870f96a3fac47306685216696a31b422f8cf1e0e60d36dbff764ce5ab0a93dfaf4f0f7f0894c51
-
SSDEEP
1536:GnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:GGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2348 omsecor.exe 2532 omsecor.exe 1740 omsecor.exe 324 omsecor.exe 316 omsecor.exe 2936 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2144 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 2144 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 2348 omsecor.exe 2532 omsecor.exe 2532 omsecor.exe 324 omsecor.exe 324 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2100 set thread context of 2144 2100 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 30 PID 2348 set thread context of 2532 2348 omsecor.exe 32 PID 1740 set thread context of 324 1740 omsecor.exe 36 PID 316 set thread context of 2936 316 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2144 2100 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 30 PID 2100 wrote to memory of 2144 2100 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 30 PID 2100 wrote to memory of 2144 2100 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 30 PID 2100 wrote to memory of 2144 2100 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 30 PID 2100 wrote to memory of 2144 2100 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 30 PID 2100 wrote to memory of 2144 2100 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 30 PID 2144 wrote to memory of 2348 2144 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 31 PID 2144 wrote to memory of 2348 2144 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 31 PID 2144 wrote to memory of 2348 2144 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 31 PID 2144 wrote to memory of 2348 2144 196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe 31 PID 2348 wrote to memory of 2532 2348 omsecor.exe 32 PID 2348 wrote to memory of 2532 2348 omsecor.exe 32 PID 2348 wrote to memory of 2532 2348 omsecor.exe 32 PID 2348 wrote to memory of 2532 2348 omsecor.exe 32 PID 2348 wrote to memory of 2532 2348 omsecor.exe 32 PID 2348 wrote to memory of 2532 2348 omsecor.exe 32 PID 2532 wrote to memory of 1740 2532 omsecor.exe 35 PID 2532 wrote to memory of 1740 2532 omsecor.exe 35 PID 2532 wrote to memory of 1740 2532 omsecor.exe 35 PID 2532 wrote to memory of 1740 2532 omsecor.exe 35 PID 1740 wrote to memory of 324 1740 omsecor.exe 36 PID 1740 wrote to memory of 324 1740 omsecor.exe 36 PID 1740 wrote to memory of 324 1740 omsecor.exe 36 PID 1740 wrote to memory of 324 1740 omsecor.exe 36 PID 1740 wrote to memory of 324 1740 omsecor.exe 36 PID 1740 wrote to memory of 324 1740 omsecor.exe 36 PID 324 wrote to memory of 316 324 omsecor.exe 37 PID 324 wrote to memory of 316 324 omsecor.exe 37 PID 324 wrote to memory of 316 324 omsecor.exe 37 PID 324 wrote to memory of 316 324 omsecor.exe 37 PID 316 wrote to memory of 2936 316 omsecor.exe 38 PID 316 wrote to memory of 2936 316 omsecor.exe 38 PID 316 wrote to memory of 2936 316 omsecor.exe 38 PID 316 wrote to memory of 2936 316 omsecor.exe 38 PID 316 wrote to memory of 2936 316 omsecor.exe 38 PID 316 wrote to memory of 2936 316 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe"C:\Users\Admin\AppData\Local\Temp\196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exeC:\Users\Admin\AppData\Local\Temp\196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5d24fed6ff9bfbd7d0b611ac52adc7b6f
SHA1932e740998865fe22134d8846bda99b443c3fc33
SHA2567f4023f0a5f913fc2f430a4c1d87feda6c2b497c9038a574a9df8140b9a7fd3c
SHA512c534578ce285bea415e9ab48ccc14d711d4075b5b1d117cb637e51b846c8c24f8469a4e9ce342a98af74bc2c8f643be038f40aa436a9465f6597b8184128b3b3
-
Filesize
96KB
MD5e30d0709f86b362a0f8e101dabc1d013
SHA1392a09e1fbb8a2f91590bb28dea579e6c46178c8
SHA256594851e7c4d45846c291e501f2f2d1d6d5f0bffe42104fb8aa6483a187277163
SHA512aa532424702b6420cde10073b5053bc0738cfd13fa4e89f64827843e0af146d8260a59e50267ea872b58a4070a236e5686fadef0d021b5162996dacc6f73d427
-
Filesize
96KB
MD50d7c99ceb8b875a581c5a7faab8cdea8
SHA10428878cd48c6e58866d386a057d24e40140bfee
SHA256759931bdeb72bc5278f72465aa828991b9af7893a4a0f4cc8c26841e53522620
SHA512dcd4ca54ad3f138cfff590e08bada1302f7ee755c3014a8222ba331475bb1c510d80d662242596e468ba9497c06e2e76376e9791f1fe936dffab9fe1f1c13e61