Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 06:13
Static task
static1
Behavioral task
behavioral1
Sample
38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe
Resource
win7-20240903-en
General
-
Target
38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe
-
Size
96KB
-
MD5
974c6c7e364717a92b1f54f5d654fe20
-
SHA1
f474b144d14d24f20aa28f4037a4d3c9d9cc806d
-
SHA256
38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9
-
SHA512
6496d425bc88f0a53ac81b479e05c5bf8738e898c9cf32109cb0f12e806368b87f5c2bd18c8709bc3aacf8b72c43ae6aee90e6e2047bfafe3616df1581c32143
-
SSDEEP
1536:NnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:NGs8cd8eXlYairZYqMddH13B
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2440 omsecor.exe 292 omsecor.exe 912 omsecor.exe 1412 omsecor.exe 1908 omsecor.exe 1200 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 1976 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 1976 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 2440 omsecor.exe 292 omsecor.exe 292 omsecor.exe 1412 omsecor.exe 1412 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2296 set thread context of 1976 2296 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 31 PID 2440 set thread context of 292 2440 omsecor.exe 33 PID 912 set thread context of 1412 912 omsecor.exe 36 PID 1908 set thread context of 1200 1908 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2296 wrote to memory of 1976 2296 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 31 PID 2296 wrote to memory of 1976 2296 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 31 PID 2296 wrote to memory of 1976 2296 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 31 PID 2296 wrote to memory of 1976 2296 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 31 PID 2296 wrote to memory of 1976 2296 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 31 PID 2296 wrote to memory of 1976 2296 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 31 PID 1976 wrote to memory of 2440 1976 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 32 PID 1976 wrote to memory of 2440 1976 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 32 PID 1976 wrote to memory of 2440 1976 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 32 PID 1976 wrote to memory of 2440 1976 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 32 PID 2440 wrote to memory of 292 2440 omsecor.exe 33 PID 2440 wrote to memory of 292 2440 omsecor.exe 33 PID 2440 wrote to memory of 292 2440 omsecor.exe 33 PID 2440 wrote to memory of 292 2440 omsecor.exe 33 PID 2440 wrote to memory of 292 2440 omsecor.exe 33 PID 2440 wrote to memory of 292 2440 omsecor.exe 33 PID 292 wrote to memory of 912 292 omsecor.exe 35 PID 292 wrote to memory of 912 292 omsecor.exe 35 PID 292 wrote to memory of 912 292 omsecor.exe 35 PID 292 wrote to memory of 912 292 omsecor.exe 35 PID 912 wrote to memory of 1412 912 omsecor.exe 36 PID 912 wrote to memory of 1412 912 omsecor.exe 36 PID 912 wrote to memory of 1412 912 omsecor.exe 36 PID 912 wrote to memory of 1412 912 omsecor.exe 36 PID 912 wrote to memory of 1412 912 omsecor.exe 36 PID 912 wrote to memory of 1412 912 omsecor.exe 36 PID 1412 wrote to memory of 1908 1412 omsecor.exe 37 PID 1412 wrote to memory of 1908 1412 omsecor.exe 37 PID 1412 wrote to memory of 1908 1412 omsecor.exe 37 PID 1412 wrote to memory of 1908 1412 omsecor.exe 37 PID 1908 wrote to memory of 1200 1908 omsecor.exe 38 PID 1908 wrote to memory of 1200 1908 omsecor.exe 38 PID 1908 wrote to memory of 1200 1908 omsecor.exe 38 PID 1908 wrote to memory of 1200 1908 omsecor.exe 38 PID 1908 wrote to memory of 1200 1908 omsecor.exe 38 PID 1908 wrote to memory of 1200 1908 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe"C:\Users\Admin\AppData\Local\Temp\38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exeC:\Users\Admin\AppData\Local\Temp\38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1200
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5b5fb6c75d8e72cc1c36531d5f4420aae
SHA1d923ab3f2fccd434e642024da3d29cef3cf77c39
SHA256c95783b32a67731daa53bf7233e53712f9c86bfc0188f59e8e78d72a9c8477a6
SHA51227042afc8668f82e41702a2b9aae57038aa9fb073c82f2988be4aab6e41657523d5fbae42db0319ecc4593104494bb3671aca2aacef8f1a47737c8d022f68111
-
Filesize
96KB
MD55425a39d12d41e0b8843b479fb9b8526
SHA18dc2a1504770d72ff1bde1d0c123690727fdc296
SHA256d20c194ecd456987ab10e5106c5c54670b03fcd0ea65bfe9a99ad35d842027f2
SHA5127315dcc53ae97419052d07ab8abb135ccbf2f46823a87336324bcae04136573f564b788aaed52a7170f495da1cf43949ce5efebb724e01b5050f7cd6e3ebe534
-
Filesize
96KB
MD552d5aebf6d72b4e7ec838ddf69dc4650
SHA14c12683c989f26c96a622a8ade915408eb12fd4a
SHA256b9bd47f37b0501997e7562182e36343b5f2a5c2790da8bd33be81bfae65eb15a
SHA51243f1c2b1109e0ab460d3f22dde735e95a0810b40d1e8a4111ba934d80fab20fd2b4cec88ccb4ebe62785e752e78dcbe9404ba3b93f00f12fc6863eb8752a05a6