Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 09:47
Static task
static1
Behavioral task
behavioral1
Sample
bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe
Resource
win7-20240729-en
General
-
Target
bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe
-
Size
96KB
-
MD5
457a82e3e0a146a22e9dbacd802b75e6
-
SHA1
3198f8c4b0b1fcf8a03f3f90e7e9bc70ddc4b5aa
-
SHA256
bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e
-
SHA512
1d89cc96d6edb9d7918b9de9fccaa91a7c8f8ee77d7c58f33f5877406189aede63167c950ab0408651da7619b773742e2945529a061ae08f3d6aa411e6f0912b
-
SSDEEP
1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:EGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2168 omsecor.exe 2912 omsecor.exe 3004 omsecor.exe 2428 omsecor.exe 1576 omsecor.exe 836 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 1796 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 1796 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 2168 omsecor.exe 2912 omsecor.exe 2912 omsecor.exe 2428 omsecor.exe 2428 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2652 set thread context of 1796 2652 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 30 PID 2168 set thread context of 2912 2168 omsecor.exe 32 PID 3004 set thread context of 2428 3004 omsecor.exe 35 PID 1576 set thread context of 836 1576 omsecor.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2652 wrote to memory of 1796 2652 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 30 PID 2652 wrote to memory of 1796 2652 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 30 PID 2652 wrote to memory of 1796 2652 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 30 PID 2652 wrote to memory of 1796 2652 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 30 PID 2652 wrote to memory of 1796 2652 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 30 PID 2652 wrote to memory of 1796 2652 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 30 PID 1796 wrote to memory of 2168 1796 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 31 PID 1796 wrote to memory of 2168 1796 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 31 PID 1796 wrote to memory of 2168 1796 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 31 PID 1796 wrote to memory of 2168 1796 bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe 31 PID 2168 wrote to memory of 2912 2168 omsecor.exe 32 PID 2168 wrote to memory of 2912 2168 omsecor.exe 32 PID 2168 wrote to memory of 2912 2168 omsecor.exe 32 PID 2168 wrote to memory of 2912 2168 omsecor.exe 32 PID 2168 wrote to memory of 2912 2168 omsecor.exe 32 PID 2168 wrote to memory of 2912 2168 omsecor.exe 32 PID 2912 wrote to memory of 3004 2912 omsecor.exe 34 PID 2912 wrote to memory of 3004 2912 omsecor.exe 34 PID 2912 wrote to memory of 3004 2912 omsecor.exe 34 PID 2912 wrote to memory of 3004 2912 omsecor.exe 34 PID 3004 wrote to memory of 2428 3004 omsecor.exe 35 PID 3004 wrote to memory of 2428 3004 omsecor.exe 35 PID 3004 wrote to memory of 2428 3004 omsecor.exe 35 PID 3004 wrote to memory of 2428 3004 omsecor.exe 35 PID 3004 wrote to memory of 2428 3004 omsecor.exe 35 PID 3004 wrote to memory of 2428 3004 omsecor.exe 35 PID 2428 wrote to memory of 1576 2428 omsecor.exe 36 PID 2428 wrote to memory of 1576 2428 omsecor.exe 36 PID 2428 wrote to memory of 1576 2428 omsecor.exe 36 PID 2428 wrote to memory of 1576 2428 omsecor.exe 36 PID 1576 wrote to memory of 836 1576 omsecor.exe 37 PID 1576 wrote to memory of 836 1576 omsecor.exe 37 PID 1576 wrote to memory of 836 1576 omsecor.exe 37 PID 1576 wrote to memory of 836 1576 omsecor.exe 37 PID 1576 wrote to memory of 836 1576 omsecor.exe 37 PID 1576 wrote to memory of 836 1576 omsecor.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe"C:\Users\Admin\AppData\Local\Temp\bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exeC:\Users\Admin\AppData\Local\Temp\bd462c8dcee8afb7bf8e0fc17cff9e4b431bf5f7219e38fa3f4357200207863e.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD51877fee05d1d7194a2b666097bed2003
SHA1c1e16075caa495602758216adeee5a4a59d782d8
SHA25636140d63698d9294fb0f1663a370e0b3b5627ae6357a6f43fb2d914394a48823
SHA512ecd404c1e3798c86ad7a52ce2d1a9bf9bf688f13655caf7e9832c4083f32e10f0d430785b6b5afbc83060fa370822e75f073d7b19739dbea3f007181395d7d7f
-
Filesize
96KB
MD5a3b53c494183a6a24b9c0be9e59d4e2f
SHA113d0d65c6ea5c2082d4a11026adf872f6d1ba561
SHA256ae7913f1601c7f2054b7698cc8ad63caf922a6702f504ffc4e72c46601e19ffc
SHA5129c9ddedd1898d8d999b12a2e4541e3ae8d109973b44c471bd67aa2b1a8961f564dea6a2b43bf4844e53357f9bbf3dd7f89fb9ebc64da1301dcfde0384ca5afa8
-
Filesize
96KB
MD5b9f8811e8ddf167196c1b3b1aeb6fdcf
SHA119291d42037f601b5c880a6d7d7102f85e44adf2
SHA25680d44b014837d5e71be18caeed5d8188cd14534926f7c9e8386950126394352b
SHA5127da3785a7eb337541388531ca49d44888511db182b7458b1e5c8727ebc54fc2ac387ecc1719d6746c0c9ecea390f5a79241fb483429a7d2aead2b1146c69bf00