Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 04:24
Static task
static1
Behavioral task
behavioral1
Sample
7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe
Resource
win7-20241023-en
General
-
Target
7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe
-
Size
134KB
-
MD5
51d01f0d8380c55b4601e419668a181b
-
SHA1
1639ad6d7cd81b6655084c9b8d6f53ae0ecdedb4
-
SHA256
7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5
-
SHA512
cb6dd53b7bd60fe5acbd497f818159e0dc04a4a685347f086f759f1ab6e572496dae11fdd9e4e9c83a15b13e8787aff33a49be8397c539f1a3f97c9aef2841c6
-
SSDEEP
1536:fDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:LiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 1736 omsecor.exe 244 omsecor.exe 3368 omsecor.exe 1476 omsecor.exe 2988 omsecor.exe 3124 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5080 set thread context of 2480 5080 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe 83 PID 1736 set thread context of 244 1736 omsecor.exe 88 PID 3368 set thread context of 1476 3368 omsecor.exe 109 PID 2988 set thread context of 3124 2988 omsecor.exe 113 -
Program crash 4 IoCs
pid pid_target Process procid_target 4496 5080 WerFault.exe 82 4140 1736 WerFault.exe 86 2644 3368 WerFault.exe 108 4888 2988 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 5080 wrote to memory of 2480 5080 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe 83 PID 5080 wrote to memory of 2480 5080 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe 83 PID 5080 wrote to memory of 2480 5080 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe 83 PID 5080 wrote to memory of 2480 5080 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe 83 PID 5080 wrote to memory of 2480 5080 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe 83 PID 2480 wrote to memory of 1736 2480 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe 86 PID 2480 wrote to memory of 1736 2480 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe 86 PID 2480 wrote to memory of 1736 2480 7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe 86 PID 1736 wrote to memory of 244 1736 omsecor.exe 88 PID 1736 wrote to memory of 244 1736 omsecor.exe 88 PID 1736 wrote to memory of 244 1736 omsecor.exe 88 PID 1736 wrote to memory of 244 1736 omsecor.exe 88 PID 1736 wrote to memory of 244 1736 omsecor.exe 88 PID 244 wrote to memory of 3368 244 omsecor.exe 108 PID 244 wrote to memory of 3368 244 omsecor.exe 108 PID 244 wrote to memory of 3368 244 omsecor.exe 108 PID 3368 wrote to memory of 1476 3368 omsecor.exe 109 PID 3368 wrote to memory of 1476 3368 omsecor.exe 109 PID 3368 wrote to memory of 1476 3368 omsecor.exe 109 PID 3368 wrote to memory of 1476 3368 omsecor.exe 109 PID 3368 wrote to memory of 1476 3368 omsecor.exe 109 PID 1476 wrote to memory of 2988 1476 omsecor.exe 111 PID 1476 wrote to memory of 2988 1476 omsecor.exe 111 PID 1476 wrote to memory of 2988 1476 omsecor.exe 111 PID 2988 wrote to memory of 3124 2988 omsecor.exe 113 PID 2988 wrote to memory of 3124 2988 omsecor.exe 113 PID 2988 wrote to memory of 3124 2988 omsecor.exe 113 PID 2988 wrote to memory of 3124 2988 omsecor.exe 113 PID 2988 wrote to memory of 3124 2988 omsecor.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe"C:\Users\Admin\AppData\Local\Temp\7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exeC:\Users\Admin\AppData\Local\Temp\7bd63f0ea0fbfa0e7b6f68d2e026dfb71e8e278e316723fea0fc4f6ca32475e5.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 2568⤵
- Program crash
PID:4888
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 2926⤵
- Program crash
PID:2644
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 2884⤵
- Program crash
PID:4140
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 3002⤵
- Program crash
PID:4496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 50801⤵PID:1716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1736 -ip 17361⤵PID:4980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3368 -ip 33681⤵PID:2328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2988 -ip 29881⤵PID:4352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD53ba713d1abf8380263b8a675b6fba8c9
SHA1f525ab84ddc8badec76c5b8e932f35401f59a0c1
SHA25601662c6f9abf30652615f229263d7665c9fbd20ef74199b9d0e4dc06f151c964
SHA5127e4ac0f4e6e40a58d9d9f6e3235166068493d25636afe5b1c47a10e319ca1a7e4dd3bfb709698ed1ea10c5dbd9a5538ce911b2a599ee084d87e095d7b02bc654
-
Filesize
134KB
MD5f180fe8ee40f3716afd0c18ae0cf8b00
SHA1f590ac1f509bc38bb3fdde5a8a2ea84fcd7d8e2e
SHA256b84244ca9ea6ef79c2353adbe104b77670fd7cf86503b7b2cf1bcfaf0e968b87
SHA512e9fa6e103e97d068d22ea0169860b1dbd02457052829a18d0d95b16de9937aa9b9c9f7ef7e3f43387f1112d3ef083c15977dd49109feab9ff3a634e225f60ecc
-
Filesize
134KB
MD545db7cd9e9ad6fb107a19dfe28666f58
SHA187ff7d31a8e1936a1c6a608be87a8a7ea5884aaf
SHA256819c1d3f680e3a6a3bdf0ebb295ffd7b8c3c599bc410082d7f0a561c175c19a6
SHA5125ea2400f417765b79c08a0d58a594813d8bd0892bceda5aac4917116813f450be8a70cd30cc8c97b46c2729fe9113eedeee0254792dd3af82d8643eefccff945