Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23/01/2025, 10:58
Static task
static1
Behavioral task
behavioral1
Sample
a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
Resource
win7-20240729-en
General
-
Target
a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
-
Size
96KB
-
MD5
3741f3d1409a19365929b6bd1dee01d6
-
SHA1
da584cee4bebddcd5f48bb30c883c8950b5e160d
-
SHA256
a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7
-
SHA512
37a764e84764ebf79138ea4cfa70d72ffd351d4ba3b8d23c97510452b7712bb15c7dda8f6189e69e19c8ae1bc06aa4f42eb299213a6d9b110ce75607d453e9e5
-
SSDEEP
1536:xnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxJ:xGs8cd8eXlYairZYqMddH13J
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2920 omsecor.exe 2000 omsecor.exe 1808 omsecor.exe 1192 omsecor.exe 1120 omsecor.exe 2956 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 1944 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 1944 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 2920 omsecor.exe 2000 omsecor.exe 2000 omsecor.exe 1192 omsecor.exe 1192 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2336 set thread context of 1944 2336 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 30 PID 2920 set thread context of 2000 2920 omsecor.exe 32 PID 1808 set thread context of 1192 1808 omsecor.exe 36 PID 1120 set thread context of 2956 1120 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2336 wrote to memory of 1944 2336 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 30 PID 2336 wrote to memory of 1944 2336 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 30 PID 2336 wrote to memory of 1944 2336 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 30 PID 2336 wrote to memory of 1944 2336 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 30 PID 2336 wrote to memory of 1944 2336 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 30 PID 2336 wrote to memory of 1944 2336 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 30 PID 1944 wrote to memory of 2920 1944 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 31 PID 1944 wrote to memory of 2920 1944 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 31 PID 1944 wrote to memory of 2920 1944 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 31 PID 1944 wrote to memory of 2920 1944 a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe 31 PID 2920 wrote to memory of 2000 2920 omsecor.exe 32 PID 2920 wrote to memory of 2000 2920 omsecor.exe 32 PID 2920 wrote to memory of 2000 2920 omsecor.exe 32 PID 2920 wrote to memory of 2000 2920 omsecor.exe 32 PID 2920 wrote to memory of 2000 2920 omsecor.exe 32 PID 2920 wrote to memory of 2000 2920 omsecor.exe 32 PID 2000 wrote to memory of 1808 2000 omsecor.exe 35 PID 2000 wrote to memory of 1808 2000 omsecor.exe 35 PID 2000 wrote to memory of 1808 2000 omsecor.exe 35 PID 2000 wrote to memory of 1808 2000 omsecor.exe 35 PID 1808 wrote to memory of 1192 1808 omsecor.exe 36 PID 1808 wrote to memory of 1192 1808 omsecor.exe 36 PID 1808 wrote to memory of 1192 1808 omsecor.exe 36 PID 1808 wrote to memory of 1192 1808 omsecor.exe 36 PID 1808 wrote to memory of 1192 1808 omsecor.exe 36 PID 1808 wrote to memory of 1192 1808 omsecor.exe 36 PID 1192 wrote to memory of 1120 1192 omsecor.exe 37 PID 1192 wrote to memory of 1120 1192 omsecor.exe 37 PID 1192 wrote to memory of 1120 1192 omsecor.exe 37 PID 1192 wrote to memory of 1120 1192 omsecor.exe 37 PID 1120 wrote to memory of 2956 1120 omsecor.exe 38 PID 1120 wrote to memory of 2956 1120 omsecor.exe 38 PID 1120 wrote to memory of 2956 1120 omsecor.exe 38 PID 1120 wrote to memory of 2956 1120 omsecor.exe 38 PID 1120 wrote to memory of 2956 1120 omsecor.exe 38 PID 1120 wrote to memory of 2956 1120 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe"C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exeC:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD53f8bba03c981efd8f5a58855bd9b29df
SHA125a428aa709764c7316888d8fa6b71dcf693ad5a
SHA256d4d60eb1ed15d9f84b6926080379abeeb07027c7ab66c8e86e232c4963adb3ee
SHA5123b79053e7be7af9ceec97f6affe4f469450c284106ee0c8fd4034eaa5ca2b51a323e4a3542c46f63dbd1d29973243c0c775708027781b6832b52fd9e258250fb
-
Filesize
96KB
MD5b68e12b881253c73dd7ebf5add9f9ae1
SHA125d90681c112e715b65b033fb85831f7d80bf763
SHA2566f0fa6f57d86e7fc8d81c039193fd075b2fa11a4f21c0eda3a988a9f7c43478b
SHA51264658419ec4463efb856e78dc240691827ff653fab72ceea1f9a164cc48202388088494887763b8e74de5d724b66f93e259e33f6768493e48da3113e1ca456da
-
Filesize
96KB
MD5418937c384703d47ba12a8188337ad43
SHA1d73f09c727e2808cfc60b58b059d0b6958fef759
SHA2567ae33e8ee9dc4dd8942f30e518ca7a09e60fcc5169a8a9f56f9674a341ad871d
SHA5123caf8f38fd74df9fbe0ca76701d2d4a7ba6586e3c8a04faab4580df249a38d8dad426392f3b74e7b7936677b5b380d0e6014ae7e851d977c60dcf1567cf116a8