Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 00:03
Static task
static1
Behavioral task
behavioral1
Sample
89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe
Resource
win7-20240903-en
General
-
Target
89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe
-
Size
134KB
-
MD5
d0cc2fbc746b4faaa3a62c8c3a4250e0
-
SHA1
f546e2be5ec764db8f258d101b80408b2873d707
-
SHA256
89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03
-
SHA512
daf0d06cca896339410182bf3edceb04e21393f74f2af4e6551042f463486002a40719451bcb253684dfd029a8d3a4197a29dc5f0c85b0c23d05191bac04d0cc
-
SSDEEP
1536:BDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCil:hiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 4600 omsecor.exe 896 omsecor.exe 3824 omsecor.exe 2936 omsecor.exe 1644 omsecor.exe 4444 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5044 set thread context of 4212 5044 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe 82 PID 4600 set thread context of 896 4600 omsecor.exe 86 PID 3824 set thread context of 2936 3824 omsecor.exe 100 PID 1644 set thread context of 4444 1644 omsecor.exe 104 -
Program crash 4 IoCs
pid pid_target Process procid_target 3972 4600 WerFault.exe 84 2704 5044 WerFault.exe 81 652 3824 WerFault.exe 99 4872 1644 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 5044 wrote to memory of 4212 5044 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe 82 PID 5044 wrote to memory of 4212 5044 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe 82 PID 5044 wrote to memory of 4212 5044 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe 82 PID 5044 wrote to memory of 4212 5044 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe 82 PID 5044 wrote to memory of 4212 5044 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe 82 PID 4212 wrote to memory of 4600 4212 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe 84 PID 4212 wrote to memory of 4600 4212 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe 84 PID 4212 wrote to memory of 4600 4212 89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe 84 PID 4600 wrote to memory of 896 4600 omsecor.exe 86 PID 4600 wrote to memory of 896 4600 omsecor.exe 86 PID 4600 wrote to memory of 896 4600 omsecor.exe 86 PID 4600 wrote to memory of 896 4600 omsecor.exe 86 PID 4600 wrote to memory of 896 4600 omsecor.exe 86 PID 896 wrote to memory of 3824 896 omsecor.exe 99 PID 896 wrote to memory of 3824 896 omsecor.exe 99 PID 896 wrote to memory of 3824 896 omsecor.exe 99 PID 3824 wrote to memory of 2936 3824 omsecor.exe 100 PID 3824 wrote to memory of 2936 3824 omsecor.exe 100 PID 3824 wrote to memory of 2936 3824 omsecor.exe 100 PID 3824 wrote to memory of 2936 3824 omsecor.exe 100 PID 3824 wrote to memory of 2936 3824 omsecor.exe 100 PID 2936 wrote to memory of 1644 2936 omsecor.exe 102 PID 2936 wrote to memory of 1644 2936 omsecor.exe 102 PID 2936 wrote to memory of 1644 2936 omsecor.exe 102 PID 1644 wrote to memory of 4444 1644 omsecor.exe 104 PID 1644 wrote to memory of 4444 1644 omsecor.exe 104 PID 1644 wrote to memory of 4444 1644 omsecor.exe 104 PID 1644 wrote to memory of 4444 1644 omsecor.exe 104 PID 1644 wrote to memory of 4444 1644 omsecor.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe"C:\Users\Admin\AppData\Local\Temp\89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exeC:\Users\Admin\AppData\Local\Temp\89b1b832522bf9f7c6f0acd9ed7c1f4bb0a5b10c0dae10a3312d48fa72decd03N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 2568⤵
- Program crash
PID:4872
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 2926⤵
- Program crash
PID:652
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 2884⤵
- Program crash
PID:3972
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 3002⤵
- Program crash
PID:2704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5044 -ip 50441⤵PID:4500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4600 -ip 46001⤵PID:1920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3824 -ip 38241⤵PID:2084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1644 -ip 16441⤵PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD54bc92bce695b580d3ed8c9f18c4476ca
SHA101f4f329f0dec997fb4cf8b2b477df838407d670
SHA256200d88c381c3399edf39bfbb2a21b90befa39871dabbe4ebd284a20c2eb29a82
SHA512feda52beffe32abd55d413548baf4152a1a932c131990daad224f934473314430c4092c393b54d76ddce89ccea8db094ed1d43d753907087ec4c3c797ef0175a
-
Filesize
134KB
MD59e6a3cc0db30598b3e8b7265efbd4834
SHA181d545580db097295197a3cee68e43433f353a3f
SHA2567c31b67daab8b7049b7269a343ab62cddec8bbba9dd2dee9bde81bc3dff13b2e
SHA51210d0be05336f19bbc63e895cf93a3c8b7b9a7994743be040a7856e1d8aca78d53865cc1e144e33972c9d9759679150db6e5f4962b7fe708898d50cf4af5b8447
-
Filesize
134KB
MD52e349f59f75cc1d156eb67caab9e4cc2
SHA1f2ffcabf64233ce936653780c1723fcbcc057341
SHA25623c954cdde97f93edf15e3b67eec91585eea0eb5cd837b8c80f2eee98d0da052
SHA512d322a618b03ac00e9c3ae030b8ff4d96be19f48e2e0e2a62998cc586281c5a06af306c652418f8ac9c33c59155e3cef12827586c064cf1c54bea933463efb6e1