Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 02:03
Static task
static1
Behavioral task
behavioral1
Sample
0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
Resource
win7-20240903-en
General
-
Target
0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
-
Size
96KB
-
MD5
424f283b670f5184ae95851fe76a3603
-
SHA1
e95026178513a139cf4c9d44f37d1142bb8559ce
-
SHA256
0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db
-
SHA512
a11068534d6917d2bc4a5d985606ad9dc4b5f1c5dc506bd3bae6ee7e251c3c41e53d9b27abcc1712bbc70ef6417436cf7b2fe17cd80bce2adc4bdfb7a2262210
-
SSDEEP
1536:WnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:WGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 3040 omsecor.exe 2760 omsecor.exe 1788 omsecor.exe 996 omsecor.exe 280 omsecor.exe 2444 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2532 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 2532 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 3040 omsecor.exe 2760 omsecor.exe 2760 omsecor.exe 996 omsecor.exe 996 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2484 set thread context of 2532 2484 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 30 PID 3040 set thread context of 2760 3040 omsecor.exe 32 PID 1788 set thread context of 996 1788 omsecor.exe 36 PID 280 set thread context of 2444 280 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2532 2484 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 30 PID 2484 wrote to memory of 2532 2484 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 30 PID 2484 wrote to memory of 2532 2484 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 30 PID 2484 wrote to memory of 2532 2484 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 30 PID 2484 wrote to memory of 2532 2484 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 30 PID 2484 wrote to memory of 2532 2484 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 30 PID 2532 wrote to memory of 3040 2532 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 31 PID 2532 wrote to memory of 3040 2532 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 31 PID 2532 wrote to memory of 3040 2532 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 31 PID 2532 wrote to memory of 3040 2532 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 31 PID 3040 wrote to memory of 2760 3040 omsecor.exe 32 PID 3040 wrote to memory of 2760 3040 omsecor.exe 32 PID 3040 wrote to memory of 2760 3040 omsecor.exe 32 PID 3040 wrote to memory of 2760 3040 omsecor.exe 32 PID 3040 wrote to memory of 2760 3040 omsecor.exe 32 PID 3040 wrote to memory of 2760 3040 omsecor.exe 32 PID 2760 wrote to memory of 1788 2760 omsecor.exe 35 PID 2760 wrote to memory of 1788 2760 omsecor.exe 35 PID 2760 wrote to memory of 1788 2760 omsecor.exe 35 PID 2760 wrote to memory of 1788 2760 omsecor.exe 35 PID 1788 wrote to memory of 996 1788 omsecor.exe 36 PID 1788 wrote to memory of 996 1788 omsecor.exe 36 PID 1788 wrote to memory of 996 1788 omsecor.exe 36 PID 1788 wrote to memory of 996 1788 omsecor.exe 36 PID 1788 wrote to memory of 996 1788 omsecor.exe 36 PID 1788 wrote to memory of 996 1788 omsecor.exe 36 PID 996 wrote to memory of 280 996 omsecor.exe 37 PID 996 wrote to memory of 280 996 omsecor.exe 37 PID 996 wrote to memory of 280 996 omsecor.exe 37 PID 996 wrote to memory of 280 996 omsecor.exe 37 PID 280 wrote to memory of 2444 280 omsecor.exe 38 PID 280 wrote to memory of 2444 280 omsecor.exe 38 PID 280 wrote to memory of 2444 280 omsecor.exe 38 PID 280 wrote to memory of 2444 280 omsecor.exe 38 PID 280 wrote to memory of 2444 280 omsecor.exe 38 PID 280 wrote to memory of 2444 280 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe"C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exeC:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD553966f9be167af83b0ba210b95aa4a6e
SHA1c6dd9bf60a28b3112f07d83603baf83dbffad9c0
SHA2560d70416395b922c2b4e43afc07122734f46911f80ff8886bad5890018aed205a
SHA512b04ca4174a788a320bc6f17d06527200c357b293b2d5b064b605a8ba24f3f5a55c8b383b8def35e9454ab8dfb7d0e9a9a4124369d024553b67e7430e81fcc834
-
Filesize
96KB
MD567ba256ad3ce42e329f957afecc53b1c
SHA13c47d8dfab424d380346ca146fa1f40de23835cd
SHA25619cb46945cc3773f307c33886db970a1ebed8753c40244db11e41b6b39088012
SHA512897b1fb963609939d84281e4e205ae46da0e95d23ce569083fc4f4e93801633b5ae2776677c13ef5b64623a837c696ea990cc26f0c9170d3368f97c642fc6bb9
-
Filesize
96KB
MD58bbf5ec28b6cf69904841b4efdec0d8f
SHA1ca8fb0842eca9c9b102bc846f43551f4827349bc
SHA256a24b5bbb3434b5b18cc49fecab6fd2693abe1b6248fcea1681e6de057e886f93
SHA512626f4dbc54b2a9e828fd31b67c4952269dd61866e987db7fd9b954d9d7d261df3bfc89a78241f35f972d1c17ed301b2140dea41fd09849d00dcce0e4bcaa2905