Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
Resource
win7-20240903-en
General
-
Target
6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe
-
Size
96KB
-
MD5
814733274f353ce8fc4f848ededbe1d0
-
SHA1
09f8833933b33adffe648fdc6c7723e8e2a89a57
-
SHA256
6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89
-
SHA512
4e0a8812c1622b82a4805258bd1b82565599eb9070f6bf9eb172adadfec30365192349792b45184f3ec7efccb0ce02c3bb31970f103df31813e15342206ff5dc
-
SSDEEP
1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:EGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2852 omsecor.exe 2856 omsecor.exe 580 omsecor.exe 1680 omsecor.exe 2556 omsecor.exe 2172 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2684 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 2684 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 2852 omsecor.exe 2856 omsecor.exe 2856 omsecor.exe 1680 omsecor.exe 1680 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2412 set thread context of 2684 2412 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 31 PID 2852 set thread context of 2856 2852 omsecor.exe 33 PID 580 set thread context of 1680 580 omsecor.exe 37 PID 2556 set thread context of 2172 2556 omsecor.exe 39 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2684 2412 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 31 PID 2412 wrote to memory of 2684 2412 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 31 PID 2412 wrote to memory of 2684 2412 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 31 PID 2412 wrote to memory of 2684 2412 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 31 PID 2412 wrote to memory of 2684 2412 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 31 PID 2412 wrote to memory of 2684 2412 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 31 PID 2684 wrote to memory of 2852 2684 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 32 PID 2684 wrote to memory of 2852 2684 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 32 PID 2684 wrote to memory of 2852 2684 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 32 PID 2684 wrote to memory of 2852 2684 6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe 32 PID 2852 wrote to memory of 2856 2852 omsecor.exe 33 PID 2852 wrote to memory of 2856 2852 omsecor.exe 33 PID 2852 wrote to memory of 2856 2852 omsecor.exe 33 PID 2852 wrote to memory of 2856 2852 omsecor.exe 33 PID 2852 wrote to memory of 2856 2852 omsecor.exe 33 PID 2852 wrote to memory of 2856 2852 omsecor.exe 33 PID 2856 wrote to memory of 580 2856 omsecor.exe 36 PID 2856 wrote to memory of 580 2856 omsecor.exe 36 PID 2856 wrote to memory of 580 2856 omsecor.exe 36 PID 2856 wrote to memory of 580 2856 omsecor.exe 36 PID 580 wrote to memory of 1680 580 omsecor.exe 37 PID 580 wrote to memory of 1680 580 omsecor.exe 37 PID 580 wrote to memory of 1680 580 omsecor.exe 37 PID 580 wrote to memory of 1680 580 omsecor.exe 37 PID 580 wrote to memory of 1680 580 omsecor.exe 37 PID 580 wrote to memory of 1680 580 omsecor.exe 37 PID 1680 wrote to memory of 2556 1680 omsecor.exe 38 PID 1680 wrote to memory of 2556 1680 omsecor.exe 38 PID 1680 wrote to memory of 2556 1680 omsecor.exe 38 PID 1680 wrote to memory of 2556 1680 omsecor.exe 38 PID 2556 wrote to memory of 2172 2556 omsecor.exe 39 PID 2556 wrote to memory of 2172 2556 omsecor.exe 39 PID 2556 wrote to memory of 2172 2556 omsecor.exe 39 PID 2556 wrote to memory of 2172 2556 omsecor.exe 39 PID 2556 wrote to memory of 2172 2556 omsecor.exe 39 PID 2556 wrote to memory of 2172 2556 omsecor.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe"C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exeC:\Users\Admin\AppData\Local\Temp\6c45fbd5a91e9acac9f97aa47bcbcfd524aaa462eec97919cfa7d13a0e31ca89N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD56ebfdd297b8dbfdda90e46785788f35b
SHA1a7fac01130f84b7827df1d7fdac4bba2fde58762
SHA256d38259ea04d6c7ea46c4cecbeb2bc90c923bff6489c34fbd4d7b9a4b906c7166
SHA5129160b5b22a08645e602cef60333bc3181a8d043113bbe55cdd450a6fac603b7be179b6af01e9ea2b55e8109d817cd408f1fd8009d54663b19e5f74bf6a3615e5
-
Filesize
96KB
MD5b82013e755f4aace44fa10f6071d168f
SHA1f8c03409d9bbf4a6fa6123e5baf0f13a44f85b86
SHA25610a432577754c88bf8c2d9a476f1afe63fb72fc79c8ccb3b4be7c771f55162c4
SHA512b81b2332934455276e777e3cd1c71d4d1638a4167f8036981cc6bcc1d7dee1bd49b9506f29e3c6ad5c98d6a78d154c75da61bd97ba6c5b72e5318caa254ede1e
-
Filesize
96KB
MD53ceedaf0cd37ce66bf3a2277803a27b4
SHA1d1853f6a36dad1e721f6b0c63a281b4a799e9ae6
SHA25638c8a25d73dedab66d7e8c472d1eb1f2768f29f213b50d9a200bc71e4bafe570
SHA51208e9f512a282b5cc6ab32319787462a8b9ac66f95841c4fcb668d818341a06920051cb092dfb1dda0b8a574adc4244a9702682a9f7d34dda7b009af9e066f580