Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02/02/2025, 00:35
Static task
static1
Behavioral task
behavioral1
Sample
63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe
Resource
win7-20241010-en
General
-
Target
63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe
-
Size
96KB
-
MD5
5dd6db59424962a5e123881c19b46380
-
SHA1
bba3d5d68e45d81bd7b4a1dad83656fbe7426c25
-
SHA256
63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91
-
SHA512
f7bd90117ace88aed44538ae98d7a9e1b2837a6a81e3854d355a0cf1146edb619e4806480f76cd5bff438abbd4a997baa34405ea8ec9f65d840bbf50fb7ab862
-
SSDEEP
1536:tnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:tGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2764 omsecor.exe 2960 omsecor.exe 1088 omsecor.exe 2148 omsecor.exe 2164 omsecor.exe 2348 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2860 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 2860 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 2764 omsecor.exe 2960 omsecor.exe 2960 omsecor.exe 2148 omsecor.exe 2148 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2832 set thread context of 2860 2832 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 30 PID 2764 set thread context of 2960 2764 omsecor.exe 32 PID 1088 set thread context of 2148 1088 omsecor.exe 36 PID 2164 set thread context of 2348 2164 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2832 wrote to memory of 2860 2832 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 30 PID 2832 wrote to memory of 2860 2832 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 30 PID 2832 wrote to memory of 2860 2832 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 30 PID 2832 wrote to memory of 2860 2832 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 30 PID 2832 wrote to memory of 2860 2832 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 30 PID 2832 wrote to memory of 2860 2832 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 30 PID 2860 wrote to memory of 2764 2860 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 31 PID 2860 wrote to memory of 2764 2860 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 31 PID 2860 wrote to memory of 2764 2860 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 31 PID 2860 wrote to memory of 2764 2860 63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe 31 PID 2764 wrote to memory of 2960 2764 omsecor.exe 32 PID 2764 wrote to memory of 2960 2764 omsecor.exe 32 PID 2764 wrote to memory of 2960 2764 omsecor.exe 32 PID 2764 wrote to memory of 2960 2764 omsecor.exe 32 PID 2764 wrote to memory of 2960 2764 omsecor.exe 32 PID 2764 wrote to memory of 2960 2764 omsecor.exe 32 PID 2960 wrote to memory of 1088 2960 omsecor.exe 35 PID 2960 wrote to memory of 1088 2960 omsecor.exe 35 PID 2960 wrote to memory of 1088 2960 omsecor.exe 35 PID 2960 wrote to memory of 1088 2960 omsecor.exe 35 PID 1088 wrote to memory of 2148 1088 omsecor.exe 36 PID 1088 wrote to memory of 2148 1088 omsecor.exe 36 PID 1088 wrote to memory of 2148 1088 omsecor.exe 36 PID 1088 wrote to memory of 2148 1088 omsecor.exe 36 PID 1088 wrote to memory of 2148 1088 omsecor.exe 36 PID 1088 wrote to memory of 2148 1088 omsecor.exe 36 PID 2148 wrote to memory of 2164 2148 omsecor.exe 37 PID 2148 wrote to memory of 2164 2148 omsecor.exe 37 PID 2148 wrote to memory of 2164 2148 omsecor.exe 37 PID 2148 wrote to memory of 2164 2148 omsecor.exe 37 PID 2164 wrote to memory of 2348 2164 omsecor.exe 38 PID 2164 wrote to memory of 2348 2164 omsecor.exe 38 PID 2164 wrote to memory of 2348 2164 omsecor.exe 38 PID 2164 wrote to memory of 2348 2164 omsecor.exe 38 PID 2164 wrote to memory of 2348 2164 omsecor.exe 38 PID 2164 wrote to memory of 2348 2164 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe"C:\Users\Admin\AppData\Local\Temp\63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exeC:\Users\Admin\AppData\Local\Temp\63ed056e5f854dadae977cbe5b5c963d1415e0e9b6df733a668dd5c62ee6cd91N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD57b95d5a8f7ad01bace3d3e3caf5b5e4c
SHA154484c7888d7e1003dfcd7c63c7796dea65c6895
SHA256c350dacfd221c8f51602297ceeeb13111e4ec31a2b2c66caa93069b7f107b485
SHA512d83cd29b0894a44f85ff62f3c847d9f99bbbc0fe071521cb5378d25215270d18458ecc6f2bc532e4deaeaf53cb331b245e5a7de7c33898db7eec00223406c5f8
-
Filesize
96KB
MD574306f2405d57031c2d132f1ffd6c6df
SHA1fc3fe39e4f0612909519d1d7fb75657ac6e74c05
SHA25614535b0d9153943f93cda7d8012849205f17799f7d3da4dbf5348143c568b4cb
SHA51255675290b7eb6185e293bc5e4ce6b61ea4ff37f0a9f547ff6e0ced35c02c249b027f442c71aa62e1f40fa1681143b371ba11f96cae3371495851c3386495ebce
-
Filesize
96KB
MD5fc398e7255fed0d1ce7997c0a8b4edf7
SHA16493ebe0795ef091acfc75b28f323ec70f920b85
SHA256f0a012f8c63541e28037547f932a5734c9396c8dd1b398d96858ef31bea031e6
SHA51251c6ed092f026f4220fa3b1c2f93acbb96c215322bcbbaa23c17afe9ac705cfbdc6c8114cab549744b4c1b40d6b8693793dbba5d8c3ea43e7f7eb0795b1a0f20