Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/01/2025, 16:20
Static task
static1
Behavioral task
behavioral1
Sample
7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
Resource
win7-20240708-en
General
-
Target
7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
-
Size
96KB
-
MD5
5ec2d98eed16ff460b007d4e1906b847
-
SHA1
083ea682b0221622e57184ba39a8a15477a426fd
-
SHA256
7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345
-
SHA512
65d570166147941bfb8a52c4f09c2502bb070b083b92d9177b7f1a5906da2a28197bdc31cc4bf7f9326ce68fd52e59c318191610829d0c29e610faeb3249a793
-
SSDEEP
1536:anAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:aGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2776 omsecor.exe 2636 omsecor.exe 1848 omsecor.exe 2900 omsecor.exe 1952 omsecor.exe 2952 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2024 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 2024 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 2776 omsecor.exe 2636 omsecor.exe 2636 omsecor.exe 2900 omsecor.exe 2900 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3068 set thread context of 2024 3068 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 2776 set thread context of 2636 2776 omsecor.exe 32 PID 1848 set thread context of 2900 1848 omsecor.exe 36 PID 1952 set thread context of 2952 1952 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2024 3068 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 3068 wrote to memory of 2024 3068 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 3068 wrote to memory of 2024 3068 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 3068 wrote to memory of 2024 3068 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 3068 wrote to memory of 2024 3068 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 3068 wrote to memory of 2024 3068 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 2024 wrote to memory of 2776 2024 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 31 PID 2024 wrote to memory of 2776 2024 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 31 PID 2024 wrote to memory of 2776 2024 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 31 PID 2024 wrote to memory of 2776 2024 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 31 PID 2776 wrote to memory of 2636 2776 omsecor.exe 32 PID 2776 wrote to memory of 2636 2776 omsecor.exe 32 PID 2776 wrote to memory of 2636 2776 omsecor.exe 32 PID 2776 wrote to memory of 2636 2776 omsecor.exe 32 PID 2776 wrote to memory of 2636 2776 omsecor.exe 32 PID 2776 wrote to memory of 2636 2776 omsecor.exe 32 PID 2636 wrote to memory of 1848 2636 omsecor.exe 35 PID 2636 wrote to memory of 1848 2636 omsecor.exe 35 PID 2636 wrote to memory of 1848 2636 omsecor.exe 35 PID 2636 wrote to memory of 1848 2636 omsecor.exe 35 PID 1848 wrote to memory of 2900 1848 omsecor.exe 36 PID 1848 wrote to memory of 2900 1848 omsecor.exe 36 PID 1848 wrote to memory of 2900 1848 omsecor.exe 36 PID 1848 wrote to memory of 2900 1848 omsecor.exe 36 PID 1848 wrote to memory of 2900 1848 omsecor.exe 36 PID 1848 wrote to memory of 2900 1848 omsecor.exe 36 PID 2900 wrote to memory of 1952 2900 omsecor.exe 37 PID 2900 wrote to memory of 1952 2900 omsecor.exe 37 PID 2900 wrote to memory of 1952 2900 omsecor.exe 37 PID 2900 wrote to memory of 1952 2900 omsecor.exe 37 PID 1952 wrote to memory of 2952 1952 omsecor.exe 38 PID 1952 wrote to memory of 2952 1952 omsecor.exe 38 PID 1952 wrote to memory of 2952 1952 omsecor.exe 38 PID 1952 wrote to memory of 2952 1952 omsecor.exe 38 PID 1952 wrote to memory of 2952 1952 omsecor.exe 38 PID 1952 wrote to memory of 2952 1952 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe"C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exeC:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD523d1cf278ac56ac9435ba38ab08205bf
SHA188821ebd6beff95e06b8cdda9769a226792e12e7
SHA256f8ae97a2442f7a0d7c37b633de740a13ec45c0b06390080e85f34312e5377f28
SHA512458e47b01a62750aa97b1d163077695bd0b493f9674ebb2a3105b5c6b592f86fb80d0889e6b1402be57326fb084119b16ff66cc3bd1cb825a894ce4723d904ad
-
Filesize
96KB
MD56bbca8024a5e0a6bd7ad4c93ee5e492a
SHA1d453deacd8079ad39f9c0890d6b51504db732803
SHA2566a7f2abda56a3d4342f4418a13ae9aa4d83e61f1b14194b407cc09d734635f1a
SHA5122f7964d6e3da7070bbb1a71e0278e9ca30de62e75e63a6a80ee633cc1ac32f729aeec010bff5ad8796f4e46a8ba2916b77bdadb4b60952a4627fd2bc1b0f3bdf
-
Filesize
96KB
MD5ed0ee97a0b8d3e5961cab4f3e30be2cf
SHA198481edff0c0cc02f11ade21621732bc61202b5a
SHA2565a8c8f2a90b0b1b30e516562d0118caaea4c5c80a26c990f091d1418b4e7afad
SHA5126694136e046b07ce81f0d7798f059bcfc3d42c9db45a8c44ae48cfc09722f780f21afa22d44b8d7460286fa96eba6865201894726b9dfdebc6545600b4f2c5d9