Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 01:28
Static task
static1
Behavioral task
behavioral1
Sample
cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe
Resource
win7-20240903-en
General
-
Target
cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe
-
Size
96KB
-
MD5
fc3379caa1dd355cac67ab889cf00be0
-
SHA1
08aa2dffa11f6f08947eceb663a5b86e7e33c851
-
SHA256
cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6e
-
SHA512
3f4427d91c4e9e0c41026a2f30b14c9aab26d109f9a49cd94814de2b512b1a25dda97ff7d02d09ddc24f4b36c94a170283f47ce6eebfc342dbce9a88b6d3e2b5
-
SSDEEP
1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:zGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 1652 omsecor.exe 4040 omsecor.exe 1284 omsecor.exe 516 omsecor.exe 3048 omsecor.exe 4112 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3788 set thread context of 3416 3788 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 82 PID 1652 set thread context of 4040 1652 omsecor.exe 86 PID 1284 set thread context of 516 1284 omsecor.exe 100 PID 3048 set thread context of 4112 3048 omsecor.exe 104 -
Program crash 4 IoCs
pid pid_target Process procid_target 2924 3788 WerFault.exe 81 5112 1652 WerFault.exe 85 4616 1284 WerFault.exe 99 4516 3048 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3788 wrote to memory of 3416 3788 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 82 PID 3788 wrote to memory of 3416 3788 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 82 PID 3788 wrote to memory of 3416 3788 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 82 PID 3788 wrote to memory of 3416 3788 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 82 PID 3788 wrote to memory of 3416 3788 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 82 PID 3416 wrote to memory of 1652 3416 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 85 PID 3416 wrote to memory of 1652 3416 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 85 PID 3416 wrote to memory of 1652 3416 cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe 85 PID 1652 wrote to memory of 4040 1652 omsecor.exe 86 PID 1652 wrote to memory of 4040 1652 omsecor.exe 86 PID 1652 wrote to memory of 4040 1652 omsecor.exe 86 PID 1652 wrote to memory of 4040 1652 omsecor.exe 86 PID 1652 wrote to memory of 4040 1652 omsecor.exe 86 PID 4040 wrote to memory of 1284 4040 omsecor.exe 99 PID 4040 wrote to memory of 1284 4040 omsecor.exe 99 PID 4040 wrote to memory of 1284 4040 omsecor.exe 99 PID 1284 wrote to memory of 516 1284 omsecor.exe 100 PID 1284 wrote to memory of 516 1284 omsecor.exe 100 PID 1284 wrote to memory of 516 1284 omsecor.exe 100 PID 1284 wrote to memory of 516 1284 omsecor.exe 100 PID 1284 wrote to memory of 516 1284 omsecor.exe 100 PID 516 wrote to memory of 3048 516 omsecor.exe 102 PID 516 wrote to memory of 3048 516 omsecor.exe 102 PID 516 wrote to memory of 3048 516 omsecor.exe 102 PID 3048 wrote to memory of 4112 3048 omsecor.exe 104 PID 3048 wrote to memory of 4112 3048 omsecor.exe 104 PID 3048 wrote to memory of 4112 3048 omsecor.exe 104 PID 3048 wrote to memory of 4112 3048 omsecor.exe 104 PID 3048 wrote to memory of 4112 3048 omsecor.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe"C:\Users\Admin\AppData\Local\Temp\cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exeC:\Users\Admin\AppData\Local\Temp\cbd2b230eaaf21fbdf1073e016fca1608cc3230e2c9e325b0c53ecb5cbd76b6eN.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 2568⤵
- Program crash
PID:4516
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 2926⤵
- Program crash
PID:4616
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 3004⤵
- Program crash
PID:5112
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 2882⤵
- Program crash
PID:2924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3788 -ip 37881⤵PID:316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1652 -ip 16521⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1284 -ip 12841⤵PID:5076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3048 -ip 30481⤵PID:4004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD58c349e3dbf63b1efdaa597d234baacf2
SHA1b7057642072b7c8ee674d94647e90af4a1c0a588
SHA25643983e6dc45ebc9d9973ea715b7942357648040853887c4589294335f3e74c46
SHA5125d9fd6f4bf2fc50b58c397ff3462f8fbac60e5aad684a9950ced9ae17554e665ebcc4531419c887a806c148f6ccdcc913ae80c007be294d184a722afef279aaf
-
Filesize
96KB
MD5071eb921cf74bc413480e0c95069a0b5
SHA1651fe962179b21a41fe2464255399df04d4e3f92
SHA256c748422eb6d5fbd179608e9291527b476f88811eea23b696beffe3c0b504c90f
SHA5124e59561b2bf2af93ecb7495d01a03f4484fbf18e8c92cd9463e3054cf334cf9e6b3173aca8c677294b14c16904eed737bdd5d31784c463df0ee527d579b92b6d
-
Filesize
96KB
MD54bd0699aae550ea0c6ed9527a83bbb0c
SHA104b2ca94009ecbcae7cc380f8d91bb730b8262be
SHA256430c1646cf55100be183fabb3874ed93cf618b8aad52b2c052b59c6f8276b412
SHA512280a9ede3348ce1ffa9571bf7be81d53cb12cffb8a42f0c5f0ec9e9d49c7491ac0022c969cb2056401cdb524e4ced00ce21e8635f48120148381b4a9a00b8e30