Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2024, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe
Resource
win7-20240221-en
General
-
Target
06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe
-
Size
134KB
-
MD5
28cea1d9184634d41849ecbfc7021883
-
SHA1
531e1918182b09088e1433c1f29b91c93181ef4a
-
SHA256
06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce
-
SHA512
48f4171df816e51a37cd3567d914ceefcc1be8acd14825c988100d2af3803c9403732af04fbeea54d9c8b27702fce9d8b9874c0907e58cad3fdf85f0d8406121
-
SSDEEP
1536:cDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:CiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Detects executables built or packed with MPress PE compressor 9 IoCs
resource yara_rule behavioral2/memory/1156-0-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000c000000023b5f-10.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3728-11-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1156-16-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000f000000023bce-28.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3444-31-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000c000000023b5f-40.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1532-41-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3444-49-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 6 IoCs
pid Process 3728 omsecor.exe 1468 omsecor.exe 3444 omsecor.exe 2340 omsecor.exe 1532 omsecor.exe 2176 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1156 set thread context of 388 1156 06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe 83 PID 3728 set thread context of 1468 3728 omsecor.exe 88 PID 3444 set thread context of 2340 3444 omsecor.exe 111 PID 1532 set thread context of 2176 1532 omsecor.exe 115 -
Program crash 4 IoCs
pid pid_target Process procid_target 4732 1156 WerFault.exe 82 856 3728 WerFault.exe 85 1428 3444 WerFault.exe 110 4720 1532 WerFault.exe 113 -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1156 wrote to memory of 388 1156 06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe 83 PID 1156 wrote to memory of 388 1156 06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe 83 PID 1156 wrote to memory of 388 1156 06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe 83 PID 1156 wrote to memory of 388 1156 06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe 83 PID 1156 wrote to memory of 388 1156 06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe 83 PID 388 wrote to memory of 3728 388 06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe 85 PID 388 wrote to memory of 3728 388 06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe 85 PID 388 wrote to memory of 3728 388 06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe 85 PID 3728 wrote to memory of 1468 3728 omsecor.exe 88 PID 3728 wrote to memory of 1468 3728 omsecor.exe 88 PID 3728 wrote to memory of 1468 3728 omsecor.exe 88 PID 3728 wrote to memory of 1468 3728 omsecor.exe 88 PID 3728 wrote to memory of 1468 3728 omsecor.exe 88 PID 1468 wrote to memory of 3444 1468 omsecor.exe 110 PID 1468 wrote to memory of 3444 1468 omsecor.exe 110 PID 1468 wrote to memory of 3444 1468 omsecor.exe 110 PID 3444 wrote to memory of 2340 3444 omsecor.exe 111 PID 3444 wrote to memory of 2340 3444 omsecor.exe 111 PID 3444 wrote to memory of 2340 3444 omsecor.exe 111 PID 3444 wrote to memory of 2340 3444 omsecor.exe 111 PID 3444 wrote to memory of 2340 3444 omsecor.exe 111 PID 2340 wrote to memory of 1532 2340 omsecor.exe 113 PID 2340 wrote to memory of 1532 2340 omsecor.exe 113 PID 2340 wrote to memory of 1532 2340 omsecor.exe 113 PID 1532 wrote to memory of 2176 1532 omsecor.exe 115 PID 1532 wrote to memory of 2176 1532 omsecor.exe 115 PID 1532 wrote to memory of 2176 1532 omsecor.exe 115 PID 1532 wrote to memory of 2176 1532 omsecor.exe 115 PID 1532 wrote to memory of 2176 1532 omsecor.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe"C:\Users\Admin\AppData\Local\Temp\06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exeC:\Users\Admin\AppData\Local\Temp\06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe2⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:2176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 2688⤵
- Program crash
PID:4720
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 2926⤵
- Program crash
PID:1428
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 2924⤵
- Program crash
PID:856
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 2882⤵
- Program crash
PID:4732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1156 -ip 11561⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3728 -ip 37281⤵PID:1360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3444 -ip 34441⤵PID:3700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1532 -ip 15321⤵PID:5100
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD50f66386e6876ec047b7cc216b0a3b364
SHA1a574cfa6991f7ba03ad822df7672843a4d8f5846
SHA256f32c3b4bc9ee526134ca803852718a63e46e56b95c5084707e4d7cb04f1a4f27
SHA512ecca793944bdb7b19503b1bf8934175415f1dc3beb49f76b3d3f4beee8ab527d2aff8973fccdf4613acbdc4d32ea2342c0ccff5ccf20428a9928a5e4443865ec
-
Filesize
134KB
MD52f20ecb2c70eb7f301e577e8b66e6708
SHA1f77ff9d3e112d1501c451fbfb1d15dd09ec707e5
SHA2560111a85b30b1595ab2eb8e6302b6a9c65375e757319c3c317a4e4be761cbb766
SHA512796f9fb45db5dda0f984954905f90bb2d96a96774ea2f747f64597de76dea6ea8c7d04dd2e4f034afe8edd74901c99961f6b94ad7e3062df1903176682fd7b9d
-
Filesize
134KB
MD52b11a4501ccef31af1022a6efb0e8ca1
SHA112e3214c20c05f80d3ae2da5510866c000047043
SHA256e4a973a88792a1cafa077570ed9be5bac967dd8a49d508397374dc35321a9415
SHA512cb44b70fd2b057bacd38710c19df820da41417a031a4e29492935c0c0b55cf2826a58a310457c675a37bee1d3ffaa1f3d6bad800fc5ec2bc8f97ca2bcc9c919c