Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
Resource
win7-20241010-en
General
-
Target
d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
-
Size
96KB
-
MD5
bd7713ed8422c64dff66486d55ce4a50
-
SHA1
5d94eb3814fcc4b464f025075ccf78aa7789b71f
-
SHA256
d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34
-
SHA512
c4482819a5463759c1a79c14147472ce1542eb175d788d394358ea3ee70909dde733f2b0523e240abda86ea339479081d0f4d75eef74a75a89e06876573c9ac5
-
SSDEEP
1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxJ:4Gs8cd8eXlYairZYqMddH13J
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2988 omsecor.exe 2484 omsecor.exe 972 omsecor.exe 2504 omsecor.exe 836 omsecor.exe 840 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2216 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 2216 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 2988 omsecor.exe 2484 omsecor.exe 2484 omsecor.exe 2504 omsecor.exe 2504 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2304 set thread context of 2216 2304 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 29 PID 2988 set thread context of 2484 2988 omsecor.exe 31 PID 972 set thread context of 2504 972 omsecor.exe 34 PID 836 set thread context of 840 836 omsecor.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2216 2304 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 29 PID 2304 wrote to memory of 2216 2304 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 29 PID 2304 wrote to memory of 2216 2304 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 29 PID 2304 wrote to memory of 2216 2304 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 29 PID 2304 wrote to memory of 2216 2304 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 29 PID 2304 wrote to memory of 2216 2304 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 29 PID 2216 wrote to memory of 2988 2216 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 30 PID 2216 wrote to memory of 2988 2216 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 30 PID 2216 wrote to memory of 2988 2216 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 30 PID 2216 wrote to memory of 2988 2216 d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe 30 PID 2988 wrote to memory of 2484 2988 omsecor.exe 31 PID 2988 wrote to memory of 2484 2988 omsecor.exe 31 PID 2988 wrote to memory of 2484 2988 omsecor.exe 31 PID 2988 wrote to memory of 2484 2988 omsecor.exe 31 PID 2988 wrote to memory of 2484 2988 omsecor.exe 31 PID 2988 wrote to memory of 2484 2988 omsecor.exe 31 PID 2484 wrote to memory of 972 2484 omsecor.exe 33 PID 2484 wrote to memory of 972 2484 omsecor.exe 33 PID 2484 wrote to memory of 972 2484 omsecor.exe 33 PID 2484 wrote to memory of 972 2484 omsecor.exe 33 PID 972 wrote to memory of 2504 972 omsecor.exe 34 PID 972 wrote to memory of 2504 972 omsecor.exe 34 PID 972 wrote to memory of 2504 972 omsecor.exe 34 PID 972 wrote to memory of 2504 972 omsecor.exe 34 PID 972 wrote to memory of 2504 972 omsecor.exe 34 PID 972 wrote to memory of 2504 972 omsecor.exe 34 PID 2504 wrote to memory of 836 2504 omsecor.exe 35 PID 2504 wrote to memory of 836 2504 omsecor.exe 35 PID 2504 wrote to memory of 836 2504 omsecor.exe 35 PID 2504 wrote to memory of 836 2504 omsecor.exe 35 PID 836 wrote to memory of 840 836 omsecor.exe 36 PID 836 wrote to memory of 840 836 omsecor.exe 36 PID 836 wrote to memory of 840 836 omsecor.exe 36 PID 836 wrote to memory of 840 836 omsecor.exe 36 PID 836 wrote to memory of 840 836 omsecor.exe 36 PID 836 wrote to memory of 840 836 omsecor.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe"C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exeC:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:840
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD53a090f39f732307373380b0a33b6806d
SHA141606e9188d956b1c3683ac588c3d4a0d4e994ae
SHA25633e6e6c57e92b416ccf86d428c95ab2bc7ef48b36436191e89abe57cb02d425d
SHA5128c4a92947298ad2737a4a926277763ddf4c8b1880ae17ef9fcb87ebc5e7927663352459267fc394bce31459e7871f6e846b8528424927e2ecc81ab14ceb457b3
-
Filesize
96KB
MD5e2685e4a55e061c4ef957a1ea754d226
SHA17d9ae2c64c6475118056d8e9a779ad1d15b8220f
SHA2568a59b11af8ad2f0523084f0ce4904f3859dfdfb6e4b2f8b6f6fc75fbf51ef7b7
SHA512749d7a3765a460c41f7d9cea5a74664859fc405286f568f7eba89a9bdf13235f99e9b9d47feba2659babc195ca3877b1131830f989fce33cceae13c0cfc0e3f9
-
Filesize
96KB
MD5b9b07e638f19002bf42b1b255c6ab1d7
SHA191821e14f51f99bdface0489b58dfeb9abbd36fe
SHA256bcef61bbd14147316e514f5f79d25776a7bb07091b67c57eef7bea63bd7cbc88
SHA51211ecf64ccc8e139389324c9909ff2e8e0ec01239f321f1ce3cb0e184309d875e4dd8f473a923ebe15a93e8741f944fde9e0997c657d0b7d8f8cb1728dce1bf6c