Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/02/2025, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
Resource
win7-20240903-en
General
-
Target
0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
-
Size
96KB
-
MD5
7445cb0dd8dc1d4cabd9881969898b10
-
SHA1
b20ce716443b39f6bad665db6578fe6d9cb371be
-
SHA256
0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9
-
SHA512
61383698992e232ab3d95402a14b4b3c32de2ceec71a6863d04a064e05c59994a9783373ffb138154f12caded8809cc8ab372eb8c961c83e2d6649fc64744b95
-
SSDEEP
1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:zGs8cd8eXlYairZYqMddH13p
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2924 omsecor.exe 2756 omsecor.exe 2568 omsecor.exe 1892 omsecor.exe 2116 omsecor.exe 352 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 656 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 656 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 2924 omsecor.exe 2756 omsecor.exe 2756 omsecor.exe 1892 omsecor.exe 1892 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1284 set thread context of 656 1284 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 30 PID 2924 set thread context of 2756 2924 omsecor.exe 32 PID 2568 set thread context of 1892 2568 omsecor.exe 36 PID 2116 set thread context of 352 2116 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1284 wrote to memory of 656 1284 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 30 PID 1284 wrote to memory of 656 1284 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 30 PID 1284 wrote to memory of 656 1284 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 30 PID 1284 wrote to memory of 656 1284 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 30 PID 1284 wrote to memory of 656 1284 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 30 PID 1284 wrote to memory of 656 1284 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 30 PID 656 wrote to memory of 2924 656 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 31 PID 656 wrote to memory of 2924 656 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 31 PID 656 wrote to memory of 2924 656 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 31 PID 656 wrote to memory of 2924 656 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 31 PID 2924 wrote to memory of 2756 2924 omsecor.exe 32 PID 2924 wrote to memory of 2756 2924 omsecor.exe 32 PID 2924 wrote to memory of 2756 2924 omsecor.exe 32 PID 2924 wrote to memory of 2756 2924 omsecor.exe 32 PID 2924 wrote to memory of 2756 2924 omsecor.exe 32 PID 2924 wrote to memory of 2756 2924 omsecor.exe 32 PID 2756 wrote to memory of 2568 2756 omsecor.exe 35 PID 2756 wrote to memory of 2568 2756 omsecor.exe 35 PID 2756 wrote to memory of 2568 2756 omsecor.exe 35 PID 2756 wrote to memory of 2568 2756 omsecor.exe 35 PID 2568 wrote to memory of 1892 2568 omsecor.exe 36 PID 2568 wrote to memory of 1892 2568 omsecor.exe 36 PID 2568 wrote to memory of 1892 2568 omsecor.exe 36 PID 2568 wrote to memory of 1892 2568 omsecor.exe 36 PID 2568 wrote to memory of 1892 2568 omsecor.exe 36 PID 2568 wrote to memory of 1892 2568 omsecor.exe 36 PID 1892 wrote to memory of 2116 1892 omsecor.exe 37 PID 1892 wrote to memory of 2116 1892 omsecor.exe 37 PID 1892 wrote to memory of 2116 1892 omsecor.exe 37 PID 1892 wrote to memory of 2116 1892 omsecor.exe 37 PID 2116 wrote to memory of 352 2116 omsecor.exe 38 PID 2116 wrote to memory of 352 2116 omsecor.exe 38 PID 2116 wrote to memory of 352 2116 omsecor.exe 38 PID 2116 wrote to memory of 352 2116 omsecor.exe 38 PID 2116 wrote to memory of 352 2116 omsecor.exe 38 PID 2116 wrote to memory of 352 2116 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe"C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exeC:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:352
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD53ecf227d50109f374225f909f705e9bc
SHA1458cccab2e5ff2bfca3b98b64cf61f3ebb90a8c4
SHA2567de87bc37afdf859278a2bad190a905cdbb3858787788971ecbb8ccfcd82fb15
SHA5128ab66b6372f653cb4e03e2c4927719f99707bac4882a7f5918a82b247e523cc313835b1b618faa440b9be69d002a020ef39a3f4d84a542df22cb563e256ac186
-
Filesize
96KB
MD599f474e43273188ec3b23caf0e28bd18
SHA1cac5d93c4a84b3b5fe04018e3c3cdb58837f7f0b
SHA256f5f6a9775d90cfae9354b95963fd2542c27d9faa21a66ec6c0f77f8e8b5c6567
SHA512f1dae6d45ca451364456b3575a1ef72b854281fdf9e6bece0e5ad2106f2fe53b220f3cb8d59dced42adffe14c24e90d70e5d8ca2f9f6f7270035629ae96f1ff7
-
Filesize
96KB
MD5894772991d94681aebb2e934d8eebde4
SHA18c7e7dcfe7dc9e82673fbabb53fa79f259d592af
SHA256ed76c078720d812542836f5d811baf171ebcaf6d4faf4bc8e702dbdd58fb293c
SHA512bb2573867efec1358c7ce43a37c363691b6f0e4ff74f2d3dc28444f637f0dbe01dda9f43ed3ed3fc5a6d9cfdaa0fb7a2b2b36b6996f90f4aada28b6ad64523d7