Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 00:07
Static task
static1
Behavioral task
behavioral1
Sample
f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
Resource
win7-20241023-en
General
-
Target
f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
-
Size
134KB
-
MD5
0e016ef700da2f75e04cdea881bcbde0
-
SHA1
c77b00e001c8b6411438780da98f4d93ff973b16
-
SHA256
f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5
-
SHA512
0ad4b8185dab202561581b5daba7e028d36efe7bdf27a3fcb224664468517018f29dd40ba9ea00e5eaac0a72f7b0bd80c9719197677d314e9c50e124b5a141b2
-
SSDEEP
1536:fDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCit:LiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 468 omsecor.exe 2868 omsecor.exe 4968 omsecor.exe 1488 omsecor.exe 2896 omsecor.exe 4160 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5056 set thread context of 3100 5056 f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe 83 PID 468 set thread context of 2868 468 omsecor.exe 88 PID 4968 set thread context of 1488 4968 omsecor.exe 109 PID 2896 set thread context of 4160 2896 omsecor.exe 113 -
Program crash 4 IoCs
pid pid_target Process procid_target 4804 5056 WerFault.exe 82 412 468 WerFault.exe 86 4316 4968 WerFault.exe 108 2456 2896 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 5056 wrote to memory of 3100 5056 f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe 83 PID 5056 wrote to memory of 3100 5056 f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe 83 PID 5056 wrote to memory of 3100 5056 f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe 83 PID 5056 wrote to memory of 3100 5056 f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe 83 PID 5056 wrote to memory of 3100 5056 f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe 83 PID 3100 wrote to memory of 468 3100 f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe 86 PID 3100 wrote to memory of 468 3100 f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe 86 PID 3100 wrote to memory of 468 3100 f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe 86 PID 468 wrote to memory of 2868 468 omsecor.exe 88 PID 468 wrote to memory of 2868 468 omsecor.exe 88 PID 468 wrote to memory of 2868 468 omsecor.exe 88 PID 468 wrote to memory of 2868 468 omsecor.exe 88 PID 468 wrote to memory of 2868 468 omsecor.exe 88 PID 2868 wrote to memory of 4968 2868 omsecor.exe 108 PID 2868 wrote to memory of 4968 2868 omsecor.exe 108 PID 2868 wrote to memory of 4968 2868 omsecor.exe 108 PID 4968 wrote to memory of 1488 4968 omsecor.exe 109 PID 4968 wrote to memory of 1488 4968 omsecor.exe 109 PID 4968 wrote to memory of 1488 4968 omsecor.exe 109 PID 4968 wrote to memory of 1488 4968 omsecor.exe 109 PID 4968 wrote to memory of 1488 4968 omsecor.exe 109 PID 1488 wrote to memory of 2896 1488 omsecor.exe 111 PID 1488 wrote to memory of 2896 1488 omsecor.exe 111 PID 1488 wrote to memory of 2896 1488 omsecor.exe 111 PID 2896 wrote to memory of 4160 2896 omsecor.exe 113 PID 2896 wrote to memory of 4160 2896 omsecor.exe 113 PID 2896 wrote to memory of 4160 2896 omsecor.exe 113 PID 2896 wrote to memory of 4160 2896 omsecor.exe 113 PID 2896 wrote to memory of 4160 2896 omsecor.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe"C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exeC:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 2688⤵
- Program crash
PID:2456
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 2926⤵
- Program crash
PID:4316
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 3004⤵
- Program crash
PID:412
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 2882⤵
- Program crash
PID:4804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 50561⤵PID:5080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 468 -ip 4681⤵PID:3344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4968 -ip 49681⤵PID:680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2896 -ip 28961⤵PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD56d6b36a1e4f4557fd744fd7e20c106e4
SHA1fdcd8d4390ceeea58264518a9e2471e265619abd
SHA2566b1827e2b735f1a6f0fdbbd5dfd74c22cbc52dd1bf277f007b126ec93fc240b1
SHA5123b8ac393ec365f79785ca89e54d6f9d379829823cb2370beb9ca119de88a9fc46f74a4664ffc8e937274ae50afbb9c3e27ef081fe89156379b17b5f3191eafdf
-
Filesize
134KB
MD5237a4f2577e78998d6c839bba61dcdad
SHA160350ebe9b8f80a61f8e0239b939414a3b8f17a3
SHA256bc97d6d04ae87c3b9b0c1bc34aa12af7fb6109559af76145f964d71d160df5e8
SHA512dc2b0efe3fa95fb4a7bb9eec16a3bc294dfd57d60eda2f948e2f67991a951385cbf22edc5a76c59220509fc0ad8df64cbceedee8aec9d1853359f0882eab03ba
-
Filesize
134KB
MD5ac96dcef4ce3c403fc9a9cbe758ea7b7
SHA1bbc3a9d85abd7d47f645fe1092a2cdc1d12a32bc
SHA2569cf110390d68026d565b4f1ca8c7678d85261d5ba98f22eea487d16caaf810a4
SHA512bb752c3b164431f219170dc6c8dc81e0345c2c24ca75b2354ba826db582d6484ab3a1b7ca37ff681d13450e34a5d65bd1f51203672ec759b33df82a3396e69b1