Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/02/2025, 03:29
Static task
static1
Behavioral task
behavioral1
Sample
ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe
Resource
win7-20240903-en
General
-
Target
ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe
-
Size
96KB
-
MD5
be2151ab0a35c54a3e6cbd72d9c6f5e0
-
SHA1
2841882d71adcf31701c778c43d47c558ee7c266
-
SHA256
ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2f
-
SHA512
6375ea85905f966b83064da626262af86984357608cef45afc9caa420d2695d43a7738cb30e706173277bcf3a9502a2656b81f7837a0d610b40c6020bd3374ca
-
SSDEEP
1536:pnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:pGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 1812 omsecor.exe 1916 omsecor.exe 1904 omsecor.exe 1076 omsecor.exe 1160 omsecor.exe 2012 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2520 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 2520 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 1812 omsecor.exe 1916 omsecor.exe 1916 omsecor.exe 1076 omsecor.exe 1076 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2504 set thread context of 2520 2504 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 30 PID 1812 set thread context of 1916 1812 omsecor.exe 32 PID 1904 set thread context of 1076 1904 omsecor.exe 36 PID 1160 set thread context of 2012 1160 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2520 2504 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 30 PID 2504 wrote to memory of 2520 2504 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 30 PID 2504 wrote to memory of 2520 2504 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 30 PID 2504 wrote to memory of 2520 2504 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 30 PID 2504 wrote to memory of 2520 2504 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 30 PID 2504 wrote to memory of 2520 2504 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 30 PID 2520 wrote to memory of 1812 2520 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 31 PID 2520 wrote to memory of 1812 2520 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 31 PID 2520 wrote to memory of 1812 2520 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 31 PID 2520 wrote to memory of 1812 2520 ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe 31 PID 1812 wrote to memory of 1916 1812 omsecor.exe 32 PID 1812 wrote to memory of 1916 1812 omsecor.exe 32 PID 1812 wrote to memory of 1916 1812 omsecor.exe 32 PID 1812 wrote to memory of 1916 1812 omsecor.exe 32 PID 1812 wrote to memory of 1916 1812 omsecor.exe 32 PID 1812 wrote to memory of 1916 1812 omsecor.exe 32 PID 1916 wrote to memory of 1904 1916 omsecor.exe 35 PID 1916 wrote to memory of 1904 1916 omsecor.exe 35 PID 1916 wrote to memory of 1904 1916 omsecor.exe 35 PID 1916 wrote to memory of 1904 1916 omsecor.exe 35 PID 1904 wrote to memory of 1076 1904 omsecor.exe 36 PID 1904 wrote to memory of 1076 1904 omsecor.exe 36 PID 1904 wrote to memory of 1076 1904 omsecor.exe 36 PID 1904 wrote to memory of 1076 1904 omsecor.exe 36 PID 1904 wrote to memory of 1076 1904 omsecor.exe 36 PID 1904 wrote to memory of 1076 1904 omsecor.exe 36 PID 1076 wrote to memory of 1160 1076 omsecor.exe 37 PID 1076 wrote to memory of 1160 1076 omsecor.exe 37 PID 1076 wrote to memory of 1160 1076 omsecor.exe 37 PID 1076 wrote to memory of 1160 1076 omsecor.exe 37 PID 1160 wrote to memory of 2012 1160 omsecor.exe 38 PID 1160 wrote to memory of 2012 1160 omsecor.exe 38 PID 1160 wrote to memory of 2012 1160 omsecor.exe 38 PID 1160 wrote to memory of 2012 1160 omsecor.exe 38 PID 1160 wrote to memory of 2012 1160 omsecor.exe 38 PID 1160 wrote to memory of 2012 1160 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe"C:\Users\Admin\AppData\Local\Temp\ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exeC:\Users\Admin\AppData\Local\Temp\ba6eb9f761f2416818a2162ca9d21d35e51aeea7a16bf7263012e433e11f2e2fN.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD511bf9324f72040dee4e889ec0c9e2fb3
SHA16583f0fb341851976349f67051ed975b48b36f43
SHA2564ab8dc09aef9f68212f513f826c6b0465b57c03bab77ce4c0be49f6076e37b16
SHA512e37a7f6ab793492d1279148b4cfb596afc7456e529bad98b7853daa4b9604aae54f0ec14671d34f64404505b74766ad6d18f5ed452bb64559fb3add4aab27bf9
-
Filesize
96KB
MD501160e990d37e0e039054cd476af4b79
SHA1c98ffa395feeee48c0d1fb40cbb5390445d189c0
SHA2561df4acebc81143e58a1e8df421371bd1edb43a97e22c450ac12f73a0bfe8df18
SHA5127518c1b080aab03dde1799b48fd2d89940a5000c37379c7aa47c85c4be92c2f6d5d79583d916edbd676321e6b5136934463fd1fedf280fa47cab7cf61ad07010
-
Filesize
96KB
MD5c59332bf606fb828879c3801511ec5c1
SHA1706d3ee8c69330b3f5d87eb4fe60c2a19347f8c1
SHA2566c3f42f8aab564176b902da03fee2e04b0acce95d829b69de1b5fce1038b0166
SHA512564a0d2d51af4004823ca27dafbc246d4aedcbe23c3d7506b345bd37a9d3558d417ddd2434e58ae480c5411f8bac6d1a3e80b333e406e9fdaf00f89dde213b2c