Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02/02/2025, 13:03
Static task
static1
Behavioral task
behavioral1
Sample
b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe
Resource
win7-20241010-en
General
-
Target
b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe
-
Size
96KB
-
MD5
82ec32e61d3cc855216c94aad2018f85
-
SHA1
95032b286624fc8c10a48a2c4ec163b0d695976e
-
SHA256
b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385
-
SHA512
0b5c54953891e065906f62d65afc9f3ca7684ed7ed578ade6a7e32e6f378bca823045de58f3ee303838da179f52d98eb8f6fcc3881a6979628beab961778f013
-
SSDEEP
1536:MnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:MGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 3064 omsecor.exe 2800 omsecor.exe 3012 omsecor.exe 580 omsecor.exe 1988 omsecor.exe 2660 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2348 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 2348 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 3064 omsecor.exe 2800 omsecor.exe 2800 omsecor.exe 580 omsecor.exe 580 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 432 set thread context of 2348 432 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 29 PID 3064 set thread context of 2800 3064 omsecor.exe 31 PID 3012 set thread context of 580 3012 omsecor.exe 34 PID 1988 set thread context of 2660 1988 omsecor.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 432 wrote to memory of 2348 432 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 29 PID 432 wrote to memory of 2348 432 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 29 PID 432 wrote to memory of 2348 432 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 29 PID 432 wrote to memory of 2348 432 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 29 PID 432 wrote to memory of 2348 432 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 29 PID 432 wrote to memory of 2348 432 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 29 PID 2348 wrote to memory of 3064 2348 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 30 PID 2348 wrote to memory of 3064 2348 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 30 PID 2348 wrote to memory of 3064 2348 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 30 PID 2348 wrote to memory of 3064 2348 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 30 PID 3064 wrote to memory of 2800 3064 omsecor.exe 31 PID 3064 wrote to memory of 2800 3064 omsecor.exe 31 PID 3064 wrote to memory of 2800 3064 omsecor.exe 31 PID 3064 wrote to memory of 2800 3064 omsecor.exe 31 PID 3064 wrote to memory of 2800 3064 omsecor.exe 31 PID 3064 wrote to memory of 2800 3064 omsecor.exe 31 PID 2800 wrote to memory of 3012 2800 omsecor.exe 33 PID 2800 wrote to memory of 3012 2800 omsecor.exe 33 PID 2800 wrote to memory of 3012 2800 omsecor.exe 33 PID 2800 wrote to memory of 3012 2800 omsecor.exe 33 PID 3012 wrote to memory of 580 3012 omsecor.exe 34 PID 3012 wrote to memory of 580 3012 omsecor.exe 34 PID 3012 wrote to memory of 580 3012 omsecor.exe 34 PID 3012 wrote to memory of 580 3012 omsecor.exe 34 PID 3012 wrote to memory of 580 3012 omsecor.exe 34 PID 3012 wrote to memory of 580 3012 omsecor.exe 34 PID 580 wrote to memory of 1988 580 omsecor.exe 35 PID 580 wrote to memory of 1988 580 omsecor.exe 35 PID 580 wrote to memory of 1988 580 omsecor.exe 35 PID 580 wrote to memory of 1988 580 omsecor.exe 35 PID 1988 wrote to memory of 2660 1988 omsecor.exe 36 PID 1988 wrote to memory of 2660 1988 omsecor.exe 36 PID 1988 wrote to memory of 2660 1988 omsecor.exe 36 PID 1988 wrote to memory of 2660 1988 omsecor.exe 36 PID 1988 wrote to memory of 2660 1988 omsecor.exe 36 PID 1988 wrote to memory of 2660 1988 omsecor.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe"C:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exeC:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5b4edde9ecce673eb4f02b16fb9ef291d
SHA19e81626129858fc9c02e9fac95ccc592bced1b57
SHA256c94288e71549ed0d3cdc1385f7ed36eb1b4517b49411c1bf967f963cebf6bb41
SHA512d40f4fd78a894ef75e4f0a3c3e9bc6d720aa2980af72b437f144d86e28850ce4798dff1aaf2fc84fca135ccbb60fbfb18387cf83626a50e9e57906e79c67f17f
-
Filesize
96KB
MD52cb939a96dc199121a2c395f48287350
SHA18366d1754c3d335a5fdd8dcd017cb28681e38f70
SHA2561797dde31610031cd7d26e15a3f978c2ef96330214c016f73f3332991e8dba9a
SHA51208976f1ee45b9d171ae303190f6c33791ab9e2c01ec67a2aaded40b798924d627da5be2b28a4f36fd9f0b4d335b4b74255229ae2d0ccbf656109bc084d15499a
-
Filesize
96KB
MD5fedbb11d47748fa47d5f4fc558a0d4eb
SHA1e4920cba8ad3eeff76a0f3cb7272324474f830d2
SHA2561ebd7dfbcb861ffebd08c9a0b19694348328911b4eb251f82696f7c6bfeedee9
SHA5128b721e7d718a706dd39ee9849b95c90b7e455342f032f167426f8a0c5935ff61794ee6a776db4b75f1cee39550d188f6eb5aa6577854562fd9ed5782c3583d6c