Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 16:44
Static task
static1
Behavioral task
behavioral1
Sample
09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
Resource
win7-20241010-en
General
-
Target
09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
-
Size
96KB
-
MD5
b55545b8ebbe3b5559e4615778d5a610
-
SHA1
4cad156ecebb8a3a88947778e279386b68685260
-
SHA256
09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706ab
-
SHA512
28def2b2454383345a82949d9f00d9787036c4ad3ab64d82d7e86c588383e348be7e36d850148bda0c97bf6a3b7d00e530edcbb35c22db14813cf8ad9e0f04e3
-
SSDEEP
1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:UGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2756 omsecor.exe 2200 omsecor.exe 2888 omsecor.exe 1668 omsecor.exe 264 omsecor.exe 2144 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2848 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 2848 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 2756 omsecor.exe 2200 omsecor.exe 2200 omsecor.exe 1668 omsecor.exe 1668 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2776 set thread context of 2848 2776 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 30 PID 2756 set thread context of 2200 2756 omsecor.exe 32 PID 2888 set thread context of 1668 2888 omsecor.exe 35 PID 264 set thread context of 2144 264 omsecor.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2848 2776 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 30 PID 2776 wrote to memory of 2848 2776 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 30 PID 2776 wrote to memory of 2848 2776 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 30 PID 2776 wrote to memory of 2848 2776 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 30 PID 2776 wrote to memory of 2848 2776 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 30 PID 2776 wrote to memory of 2848 2776 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 30 PID 2848 wrote to memory of 2756 2848 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 31 PID 2848 wrote to memory of 2756 2848 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 31 PID 2848 wrote to memory of 2756 2848 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 31 PID 2848 wrote to memory of 2756 2848 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 31 PID 2756 wrote to memory of 2200 2756 omsecor.exe 32 PID 2756 wrote to memory of 2200 2756 omsecor.exe 32 PID 2756 wrote to memory of 2200 2756 omsecor.exe 32 PID 2756 wrote to memory of 2200 2756 omsecor.exe 32 PID 2756 wrote to memory of 2200 2756 omsecor.exe 32 PID 2756 wrote to memory of 2200 2756 omsecor.exe 32 PID 2200 wrote to memory of 2888 2200 omsecor.exe 34 PID 2200 wrote to memory of 2888 2200 omsecor.exe 34 PID 2200 wrote to memory of 2888 2200 omsecor.exe 34 PID 2200 wrote to memory of 2888 2200 omsecor.exe 34 PID 2888 wrote to memory of 1668 2888 omsecor.exe 35 PID 2888 wrote to memory of 1668 2888 omsecor.exe 35 PID 2888 wrote to memory of 1668 2888 omsecor.exe 35 PID 2888 wrote to memory of 1668 2888 omsecor.exe 35 PID 2888 wrote to memory of 1668 2888 omsecor.exe 35 PID 2888 wrote to memory of 1668 2888 omsecor.exe 35 PID 1668 wrote to memory of 264 1668 omsecor.exe 36 PID 1668 wrote to memory of 264 1668 omsecor.exe 36 PID 1668 wrote to memory of 264 1668 omsecor.exe 36 PID 1668 wrote to memory of 264 1668 omsecor.exe 36 PID 264 wrote to memory of 2144 264 omsecor.exe 37 PID 264 wrote to memory of 2144 264 omsecor.exe 37 PID 264 wrote to memory of 2144 264 omsecor.exe 37 PID 264 wrote to memory of 2144 264 omsecor.exe 37 PID 264 wrote to memory of 2144 264 omsecor.exe 37 PID 264 wrote to memory of 2144 264 omsecor.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe"C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exeC:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD57030d0b66162cb56c85d320713f21874
SHA16450544f289d3656f5e36480050b255577acc79d
SHA256ba23dba9f23b6d003f585605ff70f41f8110d7501c870e8f8da0a4b31032b9d1
SHA5120d36183a218e7fbf54b1f58023fc4eaf1e1379bbd59ea8daf138b23ee4805b2533f11b93359daab0ce5e7a3d9dca3361cf0e158030f44509cd3e07f3af07dbd6
-
Filesize
96KB
MD55570a9ec5908ebacce84c613610de7ff
SHA1a89347b97a8a117caf864ef0247a4cae193f5da2
SHA256fef657d00819dc749a1b7085a810f13d93baf34db63bd4804ec9122aed3321cb
SHA512f9580b0cb9f6c6fd35da20fbd834b26ca0a8b515df68375f36bfb80b2e7985521b2f587e7899c06f298973f388f876b8955ef68bc8a12e10d073779d2df85504
-
Filesize
96KB
MD5995ad09a63256674255e547431393b42
SHA1ca435ce0974965843024b22d128d150cd09be5b9
SHA2566b5a95a05c066d267b3946b3137d5d8dc1d8c7059084166ca4be288e2918040d
SHA5124f3222919a3e279b213c92439724a68ebeeb6ed292f7ec15bc55ad97178f9924176e4823094d5283ae03ca3db6585422ea57f84bfd83a24161ae63823d148ec4