Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 06:55
Static task
static1
Behavioral task
behavioral1
Sample
61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
Resource
win7-20240903-en
General
-
Target
61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
-
Size
96KB
-
MD5
95a659337ba9854552afc655c14415c0
-
SHA1
d1698c372887ff93d1bdb37cdb9437b86559e961
-
SHA256
61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0
-
SHA512
ef08e6157d7e84571f7accafa96b64fc8e144b72bac4a4c968be875a555470ff74347510b723bf9279b3b7f2867189f3ddddccd5ec500f34ebbe086fe5b9f999
-
SSDEEP
1536:fnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:fGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2716 omsecor.exe 2516 omsecor.exe 772 omsecor.exe 1452 omsecor.exe 1392 omsecor.exe 2196 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 3064 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 3064 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 2716 omsecor.exe 2516 omsecor.exe 2516 omsecor.exe 1452 omsecor.exe 1452 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3040 set thread context of 3064 3040 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 30 PID 2716 set thread context of 2516 2716 omsecor.exe 32 PID 772 set thread context of 1452 772 omsecor.exe 35 PID 1392 set thread context of 2196 1392 omsecor.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3040 wrote to memory of 3064 3040 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 30 PID 3040 wrote to memory of 3064 3040 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 30 PID 3040 wrote to memory of 3064 3040 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 30 PID 3040 wrote to memory of 3064 3040 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 30 PID 3040 wrote to memory of 3064 3040 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 30 PID 3040 wrote to memory of 3064 3040 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 30 PID 3064 wrote to memory of 2716 3064 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 31 PID 3064 wrote to memory of 2716 3064 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 31 PID 3064 wrote to memory of 2716 3064 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 31 PID 3064 wrote to memory of 2716 3064 61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe 31 PID 2716 wrote to memory of 2516 2716 omsecor.exe 32 PID 2716 wrote to memory of 2516 2716 omsecor.exe 32 PID 2716 wrote to memory of 2516 2716 omsecor.exe 32 PID 2716 wrote to memory of 2516 2716 omsecor.exe 32 PID 2716 wrote to memory of 2516 2716 omsecor.exe 32 PID 2716 wrote to memory of 2516 2716 omsecor.exe 32 PID 2516 wrote to memory of 772 2516 omsecor.exe 34 PID 2516 wrote to memory of 772 2516 omsecor.exe 34 PID 2516 wrote to memory of 772 2516 omsecor.exe 34 PID 2516 wrote to memory of 772 2516 omsecor.exe 34 PID 772 wrote to memory of 1452 772 omsecor.exe 35 PID 772 wrote to memory of 1452 772 omsecor.exe 35 PID 772 wrote to memory of 1452 772 omsecor.exe 35 PID 772 wrote to memory of 1452 772 omsecor.exe 35 PID 772 wrote to memory of 1452 772 omsecor.exe 35 PID 772 wrote to memory of 1452 772 omsecor.exe 35 PID 1452 wrote to memory of 1392 1452 omsecor.exe 36 PID 1452 wrote to memory of 1392 1452 omsecor.exe 36 PID 1452 wrote to memory of 1392 1452 omsecor.exe 36 PID 1452 wrote to memory of 1392 1452 omsecor.exe 36 PID 1392 wrote to memory of 2196 1392 omsecor.exe 37 PID 1392 wrote to memory of 2196 1392 omsecor.exe 37 PID 1392 wrote to memory of 2196 1392 omsecor.exe 37 PID 1392 wrote to memory of 2196 1392 omsecor.exe 37 PID 1392 wrote to memory of 2196 1392 omsecor.exe 37 PID 1392 wrote to memory of 2196 1392 omsecor.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe"C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exeC:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5c8d08fd0969ae3efa590c45cd4fa1284
SHA1a4df5ff9c1525d224fc8c958872df8edabb56c69
SHA256aa7fe942285d6c9c7c5b89abea90a6be7504835a6024272729117ed63e919421
SHA51208589c178eade936993f6ecd047b189a24164544c111446aef73e1d2b3113d4590058b28b992da875929d6cb7eb00162f6970ac964d6f9a5c8b8213e0d378888
-
Filesize
96KB
MD58fece7320881d0330e4b90257078f72a
SHA1c4ac69e34a51af8134ed7d937797d643defd021f
SHA256004f6cc34509832f8f2bb68b9bf4efb9a8db54fb9d1413363c33f0d4ffb3d011
SHA51255c303dd7bd01ef93835c155a5e5418cc69e001e8d3bb9206dde559b06784af4709508040dba887ef5dbe888d8960048a75d7ced558e373e527c60a8f4e55191
-
Filesize
96KB
MD531aa2b31c51d1cadb6d59b630f0d5e8b
SHA13ea39123811727a63dc90991b6e02b646aa1cc80
SHA25652623e3e841b4d145cc10c7496fc5eca0ae393b3e01775d3563cd43040ff8b9c
SHA5126f213bdf00bb4946fdde8f58cb7505ce8937cae18b0b4946297126ed07705d264daebf7b60ce1b31027b7fbed1fc1ce451688574e95cb06a86aa5e741731cd0a