Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe
Resource
win7-20240903-en
General
-
Target
8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe
-
Size
96KB
-
MD5
e33d8e4561da0b3aa0e855b14b4ce958
-
SHA1
5129486d7916b2686e78335045850ffbfa1a388b
-
SHA256
8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d
-
SHA512
45e7897415d09261af7bfc3d70d2569b4e69ba44ee7abfdd543c9a373bb95cae5defd7877963935ca72b791ccfadab535f56042e52458ab31555f36becea959c
-
SSDEEP
1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:JGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 452 omsecor.exe 1260 omsecor.exe 3548 omsecor.exe 2104 omsecor.exe 1384 omsecor.exe 3996 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4272 set thread context of 2148 4272 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe 83 PID 452 set thread context of 1260 452 omsecor.exe 88 PID 3548 set thread context of 2104 3548 omsecor.exe 110 PID 1384 set thread context of 3996 1384 omsecor.exe 114 -
Program crash 4 IoCs
pid pid_target Process procid_target 3512 4272 WerFault.exe 82 4140 452 WerFault.exe 86 4672 3548 WerFault.exe 109 2860 1384 WerFault.exe 112 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4272 wrote to memory of 2148 4272 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe 83 PID 4272 wrote to memory of 2148 4272 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe 83 PID 4272 wrote to memory of 2148 4272 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe 83 PID 4272 wrote to memory of 2148 4272 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe 83 PID 4272 wrote to memory of 2148 4272 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe 83 PID 2148 wrote to memory of 452 2148 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe 86 PID 2148 wrote to memory of 452 2148 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe 86 PID 2148 wrote to memory of 452 2148 8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe 86 PID 452 wrote to memory of 1260 452 omsecor.exe 88 PID 452 wrote to memory of 1260 452 omsecor.exe 88 PID 452 wrote to memory of 1260 452 omsecor.exe 88 PID 452 wrote to memory of 1260 452 omsecor.exe 88 PID 452 wrote to memory of 1260 452 omsecor.exe 88 PID 1260 wrote to memory of 3548 1260 omsecor.exe 109 PID 1260 wrote to memory of 3548 1260 omsecor.exe 109 PID 1260 wrote to memory of 3548 1260 omsecor.exe 109 PID 3548 wrote to memory of 2104 3548 omsecor.exe 110 PID 3548 wrote to memory of 2104 3548 omsecor.exe 110 PID 3548 wrote to memory of 2104 3548 omsecor.exe 110 PID 3548 wrote to memory of 2104 3548 omsecor.exe 110 PID 3548 wrote to memory of 2104 3548 omsecor.exe 110 PID 2104 wrote to memory of 1384 2104 omsecor.exe 112 PID 2104 wrote to memory of 1384 2104 omsecor.exe 112 PID 2104 wrote to memory of 1384 2104 omsecor.exe 112 PID 1384 wrote to memory of 3996 1384 omsecor.exe 114 PID 1384 wrote to memory of 3996 1384 omsecor.exe 114 PID 1384 wrote to memory of 3996 1384 omsecor.exe 114 PID 1384 wrote to memory of 3996 1384 omsecor.exe 114 PID 1384 wrote to memory of 3996 1384 omsecor.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe"C:\Users\Admin\AppData\Local\Temp\8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exeC:\Users\Admin\AppData\Local\Temp\8ba8818b287a5bd45ca78688ad896cbf2f6dd2581ebfb56ae913a710669f760d.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 2568⤵
- Program crash
PID:2860
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 2926⤵
- Program crash
PID:4672
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 3004⤵
- Program crash
PID:4140
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 2882⤵
- Program crash
PID:3512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4272 -ip 42721⤵PID:3828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 452 -ip 4521⤵PID:3524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3548 -ip 35481⤵PID:2304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1384 -ip 13841⤵PID:3588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD55eee32a9e7d1b7b4f28fad1e9e4e3f88
SHA172d1ebe4bf57e419015266e0e2ad5768e1f672f6
SHA25650dde5dd8225d26ddbdecae6431e033fd8b8333917a7b07cdd5960a075c0568b
SHA5122fb315bf9a2fc916a1f601a62a59ac965cf178c31415c3711aaeaba25275ef1623f997f2913ab7f5238ef22acc9a7a7ebaeec68fc716f7209922dd1a1afa1eb3
-
Filesize
96KB
MD5a7f149bb2ecd0ccb13abbe7b560c00c9
SHA1668e88509f9a0dddeeeb76317fbfa62eb6572d3c
SHA25678728c58f0716c1439cc104bc46b8b19be4d933089b9a79570215309df6305ef
SHA51256ab04ae880b920364bd0eefd9dec8323feb7cb1ed304b454779aef1e5a035a0d416b6924131759c210167abd76591facf4db2c7eb742be3dcb57e464dc5cbd5
-
Filesize
96KB
MD56b3d7e21bc357f27f8d680ed6152fa15
SHA1f861518e6b969fec708aafffaf8ace5338089dde
SHA25619a30632e566c40fe4626b6048dd6381fdc0a829bd1cd86b516f46cc4d1fa103
SHA512a65c299680f437a485dd13a568e85b2241570391e5cae82ef6dd0e144f5169615e8cc8ffede1b4166a2c1d0705637cbda35fed24edecacb583ac35188f5b5f9f