Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 04:00
Static task
static1
Behavioral task
behavioral1
Sample
92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
Resource
win7-20241010-en
General
-
Target
92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
-
Size
96KB
-
MD5
7f41359706a5ba9171426ed05726b543
-
SHA1
4f18457e3a7b8ef31c19e710c2715848c88a9513
-
SHA256
92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924
-
SHA512
c98a04eb685ad7a5fde0cd4212ecec35f66c7835abfe7602a40673098855384e54492cd3fe693fe4aff5144b72fddbbe826085dc1d00ee5fa7a64aa4feb3e557
-
SSDEEP
1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:zGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2256 omsecor.exe 1524 omsecor.exe 2752 omsecor.exe 2852 omsecor.exe 2712 omsecor.exe 4368 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 952 set thread context of 2896 952 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe 83 PID 2256 set thread context of 1524 2256 omsecor.exe 87 PID 2752 set thread context of 2852 2752 omsecor.exe 109 PID 2712 set thread context of 4368 2712 omsecor.exe 113 -
Program crash 4 IoCs
pid pid_target Process procid_target 1840 952 WerFault.exe 81 232 2256 WerFault.exe 85 2324 2752 WerFault.exe 108 3076 2712 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 952 wrote to memory of 2896 952 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe 83 PID 952 wrote to memory of 2896 952 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe 83 PID 952 wrote to memory of 2896 952 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe 83 PID 952 wrote to memory of 2896 952 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe 83 PID 952 wrote to memory of 2896 952 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe 83 PID 2896 wrote to memory of 2256 2896 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe 85 PID 2896 wrote to memory of 2256 2896 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe 85 PID 2896 wrote to memory of 2256 2896 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe 85 PID 2256 wrote to memory of 1524 2256 omsecor.exe 87 PID 2256 wrote to memory of 1524 2256 omsecor.exe 87 PID 2256 wrote to memory of 1524 2256 omsecor.exe 87 PID 2256 wrote to memory of 1524 2256 omsecor.exe 87 PID 2256 wrote to memory of 1524 2256 omsecor.exe 87 PID 1524 wrote to memory of 2752 1524 omsecor.exe 108 PID 1524 wrote to memory of 2752 1524 omsecor.exe 108 PID 1524 wrote to memory of 2752 1524 omsecor.exe 108 PID 2752 wrote to memory of 2852 2752 omsecor.exe 109 PID 2752 wrote to memory of 2852 2752 omsecor.exe 109 PID 2752 wrote to memory of 2852 2752 omsecor.exe 109 PID 2752 wrote to memory of 2852 2752 omsecor.exe 109 PID 2752 wrote to memory of 2852 2752 omsecor.exe 109 PID 2852 wrote to memory of 2712 2852 omsecor.exe 111 PID 2852 wrote to memory of 2712 2852 omsecor.exe 111 PID 2852 wrote to memory of 2712 2852 omsecor.exe 111 PID 2712 wrote to memory of 4368 2712 omsecor.exe 113 PID 2712 wrote to memory of 4368 2712 omsecor.exe 113 PID 2712 wrote to memory of 4368 2712 omsecor.exe 113 PID 2712 wrote to memory of 4368 2712 omsecor.exe 113 PID 2712 wrote to memory of 4368 2712 omsecor.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe"C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exeC:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 2568⤵
- Program crash
PID:3076
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 2926⤵
- Program crash
PID:2324
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 2884⤵
- Program crash
PID:232
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 2882⤵
- Program crash
PID:1840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 9521⤵PID:1480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2256 -ip 22561⤵PID:4356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2752 -ip 27521⤵PID:2864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2712 -ip 27121⤵PID:4348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5e5a6576807938cf6b35bc76e0abba07a
SHA1dda4fe19ecf9da4e251a6f5b1846c01e7135fdf6
SHA256e0ccfea697214a97d6a41af4d8ec69da52843df65cace7a35cfe54d71eb78c10
SHA512564e977ccf2a109ca9a65e3e0f1f55436f2e68322a87ef8d6650c51ce3eae1b13f34c57def49d3c1492e9f30fc4bf540b29f85d3fd969cf2bd581361aa5ed14d
-
Filesize
96KB
MD5b0fa627110c763983771f77ddc32f0db
SHA11c206c583dd616f3bd606300380c092b68f813fe
SHA256aad3f25bb9f6531c5da307ba9b60b4d4a2fbcdd26ef3f51d326ebb09c937fd5f
SHA512471d758c3f50ed9a9fd51ba6e5bb3da884f08a193d533aba06bbb80d35220d08291fd5b915521e235387256a538483eb0d84f855e60339cc46834764e3113923
-
Filesize
96KB
MD5a195654103d913f9ad34f327d3e91550
SHA19f75d9cbc2a09443ff5c835d14b812f0ed58d59e
SHA2565d4ec35d2e727be265a1e1142d2b17ea572ede126a8103bbca409663443a81ba
SHA512bc881e96b2e91132d99d55522300c0f9196fa434a4e59931fb801e5351ac8176a0f62502b8936d92d914571734ff67012501f994024c7dcc3756a36c6e1282f4