Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/12/2024, 03:01
Static task
static1
Behavioral task
behavioral1
Sample
c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe
Resource
win7-20240903-en
General
-
Target
c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe
-
Size
134KB
-
MD5
99f410fed3e2f4cd72d4f981b889e7bc
-
SHA1
76b150567a0e0abe420674417fdfb05fd8cef31c
-
SHA256
c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f
-
SHA512
ba78db0e847cef3fed4fa46be2d74809ab8818beee1e1943318ae3121df71dc8edae15ba16d793bdbeeb92e7051e5a8c6d74918e32d06c2219ba0b03e13e8d27
-
SSDEEP
1536:DDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7l:PiRTeH0NqAW6J6f1tqF6dngNmaZC7Mc
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 4300 omsecor.exe 3656 omsecor.exe 2756 omsecor.exe 3824 omsecor.exe 4924 omsecor.exe 4008 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1100 set thread context of 4044 1100 c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe 83 PID 4300 set thread context of 3656 4300 omsecor.exe 87 PID 2756 set thread context of 3824 2756 omsecor.exe 108 PID 4924 set thread context of 4008 4924 omsecor.exe 112 -
Program crash 4 IoCs
pid pid_target Process procid_target 212 1100 WerFault.exe 82 2160 4300 WerFault.exe 85 1476 2756 WerFault.exe 107 4768 4924 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1100 wrote to memory of 4044 1100 c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe 83 PID 1100 wrote to memory of 4044 1100 c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe 83 PID 1100 wrote to memory of 4044 1100 c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe 83 PID 1100 wrote to memory of 4044 1100 c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe 83 PID 1100 wrote to memory of 4044 1100 c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe 83 PID 4044 wrote to memory of 4300 4044 c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe 85 PID 4044 wrote to memory of 4300 4044 c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe 85 PID 4044 wrote to memory of 4300 4044 c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe 85 PID 4300 wrote to memory of 3656 4300 omsecor.exe 87 PID 4300 wrote to memory of 3656 4300 omsecor.exe 87 PID 4300 wrote to memory of 3656 4300 omsecor.exe 87 PID 4300 wrote to memory of 3656 4300 omsecor.exe 87 PID 4300 wrote to memory of 3656 4300 omsecor.exe 87 PID 3656 wrote to memory of 2756 3656 omsecor.exe 107 PID 3656 wrote to memory of 2756 3656 omsecor.exe 107 PID 3656 wrote to memory of 2756 3656 omsecor.exe 107 PID 2756 wrote to memory of 3824 2756 omsecor.exe 108 PID 2756 wrote to memory of 3824 2756 omsecor.exe 108 PID 2756 wrote to memory of 3824 2756 omsecor.exe 108 PID 2756 wrote to memory of 3824 2756 omsecor.exe 108 PID 2756 wrote to memory of 3824 2756 omsecor.exe 108 PID 3824 wrote to memory of 4924 3824 omsecor.exe 110 PID 3824 wrote to memory of 4924 3824 omsecor.exe 110 PID 3824 wrote to memory of 4924 3824 omsecor.exe 110 PID 4924 wrote to memory of 4008 4924 omsecor.exe 112 PID 4924 wrote to memory of 4008 4924 omsecor.exe 112 PID 4924 wrote to memory of 4008 4924 omsecor.exe 112 PID 4924 wrote to memory of 4008 4924 omsecor.exe 112 PID 4924 wrote to memory of 4008 4924 omsecor.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe"C:\Users\Admin\AppData\Local\Temp\c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exeC:\Users\Admin\AppData\Local\Temp\c8636245592636c046a34dc6224d2effd43fd77c55eb698dbad6cee26949e44f.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 2568⤵
- Program crash
PID:4768
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 2926⤵
- Program crash
PID:1476
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 2884⤵
- Program crash
PID:2160
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 3002⤵
- Program crash
PID:212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1100 -ip 11001⤵PID:4940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4300 -ip 43001⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2756 -ip 27561⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4924 -ip 49241⤵PID:1716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD570ca0ba1fbc991e854ec806611cf09e0
SHA113c576a1b545d596c3a1a97d6a0fc10f138e4299
SHA2565605ba9e75da0b01f1e8fd86a741d99f7507d761b0bfa81f88da0d148d8bdb7b
SHA5125885487905cc7405462df6cb72755d164356e017c90418839dfe05fa804cf3e614042deec4df00a1a7f4a858f018a038d5f776984993c5279cd7ff9a32ed24e8
-
Filesize
134KB
MD5c75758db5fb480a348601802231f639f
SHA12c98b26b84730a89d2e650885562ee4d7c229d22
SHA25645ba5ab14e3c5157da902d73a444260b5d152eb001ca9ff1e2d58539846f4db1
SHA512ded28fb6215dada1c0c024fa109b8bb9a8ee0f62fb47067598abd9949abcf32c968ea6acfa5f5d2a6a6f3f2ce76966671028ab290c39a62f880b67d9706b319b
-
Filesize
134KB
MD52e6d7fd9eb4c6481ae2f9f1e12921e24
SHA1d477007664b5cfeb1d79b10cdbb3a1fdbc8f09d1
SHA256d7f2135b69a0ce4ec60beb809fdfda86aab9471d4825c089b9833b9cbed214d8
SHA512226f658f558e9a988708d0e7c5cd33977c5feecaf42e4c8afd67c76f373554a1cfaf77d686bebec2505e90efab44c1c9ff8a2e826c102a3b4f3fdec94fd3a1c4