Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 16:46
Static task
static1
Behavioral task
behavioral1
Sample
61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
Resource
win7-20240903-en
General
-
Target
61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
-
Size
96KB
-
MD5
f4e9b81146e3a7c76fcd136712d9be40
-
SHA1
e7cffad0e338c3f13e179bc3920d40c144d0d3ed
-
SHA256
61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0ab
-
SHA512
4c3cbd65c12714a99d99e49aa5881c0c0b2bc11587a996df34b052754bd0643af83239087659ddd2458cb92f247109b60a40f65f66d4e716a294956d0f4fa8c5
-
SSDEEP
1536:inAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:iGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 5064 omsecor.exe 3008 omsecor.exe 4452 omsecor.exe 224 omsecor.exe 1680 omsecor.exe 1212 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4460 set thread context of 4076 4460 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe 83 PID 5064 set thread context of 3008 5064 omsecor.exe 88 PID 4452 set thread context of 224 4452 omsecor.exe 109 PID 1680 set thread context of 1212 1680 omsecor.exe 113 -
Program crash 4 IoCs
pid pid_target Process procid_target 4112 4460 WerFault.exe 82 60 5064 WerFault.exe 85 2388 4452 WerFault.exe 108 4644 1680 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4460 wrote to memory of 4076 4460 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe 83 PID 4460 wrote to memory of 4076 4460 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe 83 PID 4460 wrote to memory of 4076 4460 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe 83 PID 4460 wrote to memory of 4076 4460 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe 83 PID 4460 wrote to memory of 4076 4460 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe 83 PID 4076 wrote to memory of 5064 4076 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe 85 PID 4076 wrote to memory of 5064 4076 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe 85 PID 4076 wrote to memory of 5064 4076 61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe 85 PID 5064 wrote to memory of 3008 5064 omsecor.exe 88 PID 5064 wrote to memory of 3008 5064 omsecor.exe 88 PID 5064 wrote to memory of 3008 5064 omsecor.exe 88 PID 5064 wrote to memory of 3008 5064 omsecor.exe 88 PID 5064 wrote to memory of 3008 5064 omsecor.exe 88 PID 3008 wrote to memory of 4452 3008 omsecor.exe 108 PID 3008 wrote to memory of 4452 3008 omsecor.exe 108 PID 3008 wrote to memory of 4452 3008 omsecor.exe 108 PID 4452 wrote to memory of 224 4452 omsecor.exe 109 PID 4452 wrote to memory of 224 4452 omsecor.exe 109 PID 4452 wrote to memory of 224 4452 omsecor.exe 109 PID 4452 wrote to memory of 224 4452 omsecor.exe 109 PID 4452 wrote to memory of 224 4452 omsecor.exe 109 PID 224 wrote to memory of 1680 224 omsecor.exe 111 PID 224 wrote to memory of 1680 224 omsecor.exe 111 PID 224 wrote to memory of 1680 224 omsecor.exe 111 PID 1680 wrote to memory of 1212 1680 omsecor.exe 113 PID 1680 wrote to memory of 1212 1680 omsecor.exe 113 PID 1680 wrote to memory of 1212 1680 omsecor.exe 113 PID 1680 wrote to memory of 1212 1680 omsecor.exe 113 PID 1680 wrote to memory of 1212 1680 omsecor.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe"C:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exeC:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2568⤵
- Program crash
PID:4644
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 2926⤵
- Program crash
PID:2388
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2524⤵
- Program crash
PID:60
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 2882⤵
- Program crash
PID:4112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4460 -ip 44601⤵PID:3660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5064 -ip 50641⤵PID:2564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4452 -ip 44521⤵PID:4216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1680 -ip 16801⤵PID:4492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5f4f5a3accfc71dc1a2589a832ce3f872
SHA1689b37479b652ef79e85cf9acc8c71f2235ef497
SHA2568cfd85b6f508b454e3878aeea00d3fe168e0b0d5dda868e9cf375943759dd367
SHA512a01f3580b78db6033d4ab04901e3e1f4d4b1450d31525d992a9751ef38eff76df131f08e0247537fc851206b099c546357d40212f929132c397af43adcc2c90a
-
Filesize
96KB
MD5ade8001189cc18070d30d77c5dfdce99
SHA19b33f7b3971ccec383efbff6d30b7a5346b63360
SHA256934d37f15847e569564c9321e60a5f85212c6fa8c63bf2f426e7fad46f47d800
SHA5127f3c4f498d188d4fc4a4a6587e9992b9284d4e7eeb4d4f37610add4aa4b58b2a2f0d18692bde1a3d0f31a8561cc3b3c0db8907d6e28c7231469b080a2ae9fa2b
-
Filesize
96KB
MD5b352dbb18f490174a32a30577b3d9f36
SHA189263e5b2018280ace4eeb6641c411bb42d5794c
SHA256064fe206bf1ca341af26a44f5d5106594d30d86d9edfaadf08fc8d756ecb6043
SHA512a3ae710c942d8c9bb12f56151eb344a0d9672d70dd97d60c62fb6ea2fe200ce4d95dec1813041520ae09ff176ec97c3f011e7c45f8445ab02d5ed881fd67332f