Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/01/2025, 02:54
Static task
static1
Behavioral task
behavioral1
Sample
7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
Resource
win7-20240903-en
General
-
Target
7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
-
Size
96KB
-
MD5
5ec2d98eed16ff460b007d4e1906b847
-
SHA1
083ea682b0221622e57184ba39a8a15477a426fd
-
SHA256
7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345
-
SHA512
65d570166147941bfb8a52c4f09c2502bb070b083b92d9177b7f1a5906da2a28197bdc31cc4bf7f9326ce68fd52e59c318191610829d0c29e610faeb3249a793
-
SSDEEP
1536:anAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:aGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2892 omsecor.exe 2720 omsecor.exe 2780 omsecor.exe 1148 omsecor.exe 2772 omsecor.exe 2484 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2988 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 2988 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 2892 omsecor.exe 2720 omsecor.exe 2720 omsecor.exe 1148 omsecor.exe 1148 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2860 set thread context of 2988 2860 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 2892 set thread context of 2720 2892 omsecor.exe 32 PID 2780 set thread context of 1148 2780 omsecor.exe 36 PID 2772 set thread context of 2484 2772 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2988 2860 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 2860 wrote to memory of 2988 2860 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 2860 wrote to memory of 2988 2860 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 2860 wrote to memory of 2988 2860 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 2860 wrote to memory of 2988 2860 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 2860 wrote to memory of 2988 2860 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 30 PID 2988 wrote to memory of 2892 2988 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 31 PID 2988 wrote to memory of 2892 2988 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 31 PID 2988 wrote to memory of 2892 2988 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 31 PID 2988 wrote to memory of 2892 2988 7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe 31 PID 2892 wrote to memory of 2720 2892 omsecor.exe 32 PID 2892 wrote to memory of 2720 2892 omsecor.exe 32 PID 2892 wrote to memory of 2720 2892 omsecor.exe 32 PID 2892 wrote to memory of 2720 2892 omsecor.exe 32 PID 2892 wrote to memory of 2720 2892 omsecor.exe 32 PID 2892 wrote to memory of 2720 2892 omsecor.exe 32 PID 2720 wrote to memory of 2780 2720 omsecor.exe 35 PID 2720 wrote to memory of 2780 2720 omsecor.exe 35 PID 2720 wrote to memory of 2780 2720 omsecor.exe 35 PID 2720 wrote to memory of 2780 2720 omsecor.exe 35 PID 2780 wrote to memory of 1148 2780 omsecor.exe 36 PID 2780 wrote to memory of 1148 2780 omsecor.exe 36 PID 2780 wrote to memory of 1148 2780 omsecor.exe 36 PID 2780 wrote to memory of 1148 2780 omsecor.exe 36 PID 2780 wrote to memory of 1148 2780 omsecor.exe 36 PID 2780 wrote to memory of 1148 2780 omsecor.exe 36 PID 1148 wrote to memory of 2772 1148 omsecor.exe 37 PID 1148 wrote to memory of 2772 1148 omsecor.exe 37 PID 1148 wrote to memory of 2772 1148 omsecor.exe 37 PID 1148 wrote to memory of 2772 1148 omsecor.exe 37 PID 2772 wrote to memory of 2484 2772 omsecor.exe 38 PID 2772 wrote to memory of 2484 2772 omsecor.exe 38 PID 2772 wrote to memory of 2484 2772 omsecor.exe 38 PID 2772 wrote to memory of 2484 2772 omsecor.exe 38 PID 2772 wrote to memory of 2484 2772 omsecor.exe 38 PID 2772 wrote to memory of 2484 2772 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe"C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exeC:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD523d1cf278ac56ac9435ba38ab08205bf
SHA188821ebd6beff95e06b8cdda9769a226792e12e7
SHA256f8ae97a2442f7a0d7c37b633de740a13ec45c0b06390080e85f34312e5377f28
SHA512458e47b01a62750aa97b1d163077695bd0b493f9674ebb2a3105b5c6b592f86fb80d0889e6b1402be57326fb084119b16ff66cc3bd1cb825a894ce4723d904ad
-
Filesize
96KB
MD5e682c1925b9ed7113958cdf381418d4d
SHA13268466b6d2272a9e56c25147eb00aad42f9907b
SHA256b539bfd50645c1d94ef1b97bc889b53f8eae8c5bc16c3620ffbabef78345920e
SHA512c01b2c74c0159b14b9e33cb8a551ba1b904bbc2c708a2a3b4972f46a990f092c26c4b559cb8b4b8fdaf9330aa3f6082291f75c901e05d6edefb27a1cce263bbd
-
Filesize
96KB
MD5cfecf868a5d956bc168b18a924761b24
SHA12d00d25776209ff2507076f752a64a243a713fe1
SHA25695411bb623c5489a783535b5b8aaec35e10c0fa0165c5be40aa2b1fdb04649f7
SHA512da0b963061daca080b2b980bb9a54dbb2ff66a6571863fe62bc4efeaf66b2a2477391d60432452d96d4192d2b22a32c1b17db6f3d0193113aa34fa760fdf2fed