Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/02/2025, 03:32
Static task
static1
Behavioral task
behavioral1
Sample
b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
Resource
win7-20240903-en
General
-
Target
b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
-
Size
96KB
-
MD5
81ec813a24cad85f5b97baf9787fa631
-
SHA1
0a1a7d728bac16c4ba8803e3d215805a2939503e
-
SHA256
b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3
-
SHA512
a257a07ed481d60a5a075091b75c98ecbe01e9fe84efe7b9371bba73e1829d19a3afb29d26ca017183cd924674e08fec195e0e8417d3490edd0823c8f9aaa4b5
-
SSDEEP
1536:mnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:mGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2160 omsecor.exe 340 omsecor.exe 1804 omsecor.exe 1464 omsecor.exe 1424 omsecor.exe 2300 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 804 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 804 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 2160 omsecor.exe 340 omsecor.exe 340 omsecor.exe 1464 omsecor.exe 1464 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1196 set thread context of 804 1196 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 30 PID 2160 set thread context of 340 2160 omsecor.exe 32 PID 1804 set thread context of 1464 1804 omsecor.exe 36 PID 1424 set thread context of 2300 1424 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1196 wrote to memory of 804 1196 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 30 PID 1196 wrote to memory of 804 1196 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 30 PID 1196 wrote to memory of 804 1196 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 30 PID 1196 wrote to memory of 804 1196 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 30 PID 1196 wrote to memory of 804 1196 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 30 PID 1196 wrote to memory of 804 1196 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 30 PID 804 wrote to memory of 2160 804 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 31 PID 804 wrote to memory of 2160 804 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 31 PID 804 wrote to memory of 2160 804 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 31 PID 804 wrote to memory of 2160 804 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 31 PID 2160 wrote to memory of 340 2160 omsecor.exe 32 PID 2160 wrote to memory of 340 2160 omsecor.exe 32 PID 2160 wrote to memory of 340 2160 omsecor.exe 32 PID 2160 wrote to memory of 340 2160 omsecor.exe 32 PID 2160 wrote to memory of 340 2160 omsecor.exe 32 PID 2160 wrote to memory of 340 2160 omsecor.exe 32 PID 340 wrote to memory of 1804 340 omsecor.exe 35 PID 340 wrote to memory of 1804 340 omsecor.exe 35 PID 340 wrote to memory of 1804 340 omsecor.exe 35 PID 340 wrote to memory of 1804 340 omsecor.exe 35 PID 1804 wrote to memory of 1464 1804 omsecor.exe 36 PID 1804 wrote to memory of 1464 1804 omsecor.exe 36 PID 1804 wrote to memory of 1464 1804 omsecor.exe 36 PID 1804 wrote to memory of 1464 1804 omsecor.exe 36 PID 1804 wrote to memory of 1464 1804 omsecor.exe 36 PID 1804 wrote to memory of 1464 1804 omsecor.exe 36 PID 1464 wrote to memory of 1424 1464 omsecor.exe 37 PID 1464 wrote to memory of 1424 1464 omsecor.exe 37 PID 1464 wrote to memory of 1424 1464 omsecor.exe 37 PID 1464 wrote to memory of 1424 1464 omsecor.exe 37 PID 1424 wrote to memory of 2300 1424 omsecor.exe 38 PID 1424 wrote to memory of 2300 1424 omsecor.exe 38 PID 1424 wrote to memory of 2300 1424 omsecor.exe 38 PID 1424 wrote to memory of 2300 1424 omsecor.exe 38 PID 1424 wrote to memory of 2300 1424 omsecor.exe 38 PID 1424 wrote to memory of 2300 1424 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe"C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exeC:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5b30ed9cda57812d61a9088c0d1328b2f
SHA1d65d2fd9af0c7b86851105e58e62780b5cc88e3a
SHA2563430b32c66561d387786d39ba967e508329450392d8569ff0a6bd90e845ce47e
SHA5128c563ad59a29c798f3f11c7102a4c3ca328efa4cd5ee43fc1142ce24c76ca59a72ec517dec36d30ec8ce64249e0b53a4434cbe1a20d90776088095a9d11c28c0
-
Filesize
96KB
MD5cbdc7aca84e275a3f0981ffd3d109d6f
SHA1c6f86c788c0405166f490dad8fc3a9a10c972448
SHA256b31b85e91cea5b7956ad41a06ecfb85f41f247723c703c8ac376899caabe0e21
SHA51245f88d697822fec3d6f0dbc72c26a005063fad704ce4e075bd4a0f59f762281251313233c72a38a460b4a3205908618af43c85d7fff3b71ded2929392a77a9d1
-
Filesize
96KB
MD59806ccaa11663d3a5437e5a6baeaac71
SHA104457becdaa41890e19412788db904437d1c7cae
SHA256b1b0acf0163ed0cacb0528b411c7937c80a77eba001b91996ab676fc2ca2b592
SHA512fcfe6e21ca9c959e5f86e7de59c5784ef9abdb2062509329a9a62bb5d418529576cab13f1ae14ad33759d8a86de4fa23a8cacb168769d1fddcc12c290369de1a