Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2025, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
Resource
win7-20240903-en
General
-
Target
33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe
-
Size
96KB
-
MD5
8cf5d2de5a442b238701e0c509d5dbed
-
SHA1
5621535b5949f5ab0b93de04939da73d4efb3720
-
SHA256
33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b
-
SHA512
aec251a989d46f3cb7949574b0c46dce0ca003bab515c8b5cae44442411f0deb5d857ebe3a754439ef4aec15287c9367467c799fbeeb01a6216a58e4cbdba35c
-
SSDEEP
1536:7nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:7Gs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 992 omsecor.exe 1616 omsecor.exe 4536 omsecor.exe 4268 omsecor.exe 3808 omsecor.exe 2248 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2780 set thread context of 2848 2780 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 83 PID 992 set thread context of 1616 992 omsecor.exe 87 PID 4536 set thread context of 4268 4536 omsecor.exe 109 PID 3808 set thread context of 2248 3808 omsecor.exe 113 -
Program crash 4 IoCs
pid pid_target Process procid_target 2124 2780 WerFault.exe 82 3868 992 WerFault.exe 85 548 4536 WerFault.exe 108 2000 3808 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2848 2780 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 83 PID 2780 wrote to memory of 2848 2780 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 83 PID 2780 wrote to memory of 2848 2780 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 83 PID 2780 wrote to memory of 2848 2780 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 83 PID 2780 wrote to memory of 2848 2780 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 83 PID 2848 wrote to memory of 992 2848 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 85 PID 2848 wrote to memory of 992 2848 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 85 PID 2848 wrote to memory of 992 2848 33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe 85 PID 992 wrote to memory of 1616 992 omsecor.exe 87 PID 992 wrote to memory of 1616 992 omsecor.exe 87 PID 992 wrote to memory of 1616 992 omsecor.exe 87 PID 992 wrote to memory of 1616 992 omsecor.exe 87 PID 992 wrote to memory of 1616 992 omsecor.exe 87 PID 1616 wrote to memory of 4536 1616 omsecor.exe 108 PID 1616 wrote to memory of 4536 1616 omsecor.exe 108 PID 1616 wrote to memory of 4536 1616 omsecor.exe 108 PID 4536 wrote to memory of 4268 4536 omsecor.exe 109 PID 4536 wrote to memory of 4268 4536 omsecor.exe 109 PID 4536 wrote to memory of 4268 4536 omsecor.exe 109 PID 4536 wrote to memory of 4268 4536 omsecor.exe 109 PID 4536 wrote to memory of 4268 4536 omsecor.exe 109 PID 4268 wrote to memory of 3808 4268 omsecor.exe 111 PID 4268 wrote to memory of 3808 4268 omsecor.exe 111 PID 4268 wrote to memory of 3808 4268 omsecor.exe 111 PID 3808 wrote to memory of 2248 3808 omsecor.exe 113 PID 3808 wrote to memory of 2248 3808 omsecor.exe 113 PID 3808 wrote to memory of 2248 3808 omsecor.exe 113 PID 3808 wrote to memory of 2248 3808 omsecor.exe 113 PID 3808 wrote to memory of 2248 3808 omsecor.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe"C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exeC:\Users\Admin\AppData\Local\Temp\33aef9a5f44190dc8c548e93355d80a10fb31093f8c2f3e541c6159bb492832b.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 2688⤵
- Program crash
PID:2000
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 2926⤵
- Program crash
PID:548
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 2884⤵
- Program crash
PID:3868
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 3002⤵
- Program crash
PID:2124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2780 -ip 27801⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 992 -ip 9921⤵PID:3168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4536 -ip 45361⤵PID:2152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3808 -ip 38081⤵PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5905d6ca602937728671429d30b640b45
SHA13b256cbda0c15566e093e399b19875d2a4e7f3e7
SHA256f1b86bf2a16df8d46cb5f76577e529691b4da60461145fc34deecad54b10a68c
SHA512765ca1606143d48ce500a84ed98b56d079b10be8ec86db6e23869401e351c538cb7cf37b84ce6b76fa5a745b2048af3ae2eda3957d22b432c085d59d462d956b
-
Filesize
96KB
MD5e6582fd2a53dd0fd69a510709218210c
SHA19d0785aab0572c6ad1f2c4ac05964cc3fde5b90c
SHA2562eefc66a4a30098447bae464b94a2ec1a8069309a2ac724dfa6146b9a00d7e5b
SHA5122e06bff8aa7a850336edc1ef3ce4cf7e11a776643c6bfd2999fbc5a06b1bdfc54ad7521b04fc240664e58c5e7a3c7f8eae907d56bb739e1dceac181771a180ae
-
Filesize
96KB
MD5906e70e95d01a10f36e9b150c705e151
SHA1aed9c33827d8c511c76752ec9631a8dbe521444b
SHA2561ea8fb6be8873fa33dd4c25fc9633d699f791f5e6efd299cbb58f3f4f0d60d19
SHA51259daf3ada31097aa6d13dba591b0c646345445d096fa66edf5ee23d3005100b50a5c109e49665021c610ac3c8e46d9a9605551f5b32c071f8fdfac4fff1a2848